The best thing is to use some server side processing to request the access token, which also helps you hide your app's Client Secret.
If you already have a website hosted somewhere, then you might not want to migrate all that to another server just so that you could also run e.g. Node.js code. You could either just create another web server only for the authentication part, or simply add some server-side code to your existing webpage. Most servers (even the free hosting ones) support PHP, so you could probably go with that.
As a test I got a free website, https://adamenagy.com. After that I could simply follow what Augusto already talked about in this blog post.
I just needed to create and upload three files to the main folder of my webpage, where the index.html or index.php file is: viewer.html, auth.php, httpsful.phar
The only thing I needed to add to the original code was the scoping for the access token request: scope=data:read (line 39 in auth.php)
And of course I had to add my app's Client ID and Client Secret to the code (line 11 & 12 in auth.php)
My server's PHP did not like the "define()" parts, but adding what Maxence suggested in the comments of Augusto's post helped: use double quotes in them for the constant names (line 11-13 in auth.php)
Now I can just go on https://adamenagy.com/viewer.html and the viewer shows the model whose URN I insert in the text box.
The three files (viewer.html, auth.php, httpsful.phar): https://github.com/adamenagy/AuthenticateInPHP