This is a very valid scenario, and your understanding is correct.
For custom connectors using Generic OAuth 2.0, the token exchange and refresh calls are handled by the Power Platform connector backend. They do not go through the custom connector operation pipeline, so policies, header parameters, and request transformations do not apply to the OAuth handshake itself.
Because of that, there is currently no supported maker-side setting that I am aware of to add a custom static header, such as User-Agent, specifically to the Authorization URL, Token URL, or Refresh URL calls.
Possible workarounds are limited:
Ask the API provider to allow Microsoft Power Platform OAuth/token requests or relax the User-Agent enforcement specifically for token endpoints.
Use a middleware/proxy endpoint for the OAuth/token exchange that adds the required header before forwarding the request to Canvas LMS.
If available, use a different supported auth pattern that avoids this specific token exchange limitation.
Raise this as a Microsoft support case or product feedback item, because this would likely require a platform-level enhancement.
I agree this is a practical blocker. A connector-level option to define headers for OAuth token and refresh requests, or a default Power Platform User-Agent on backend OAuth calls, would be a useful improvement.