Best practice: Wrapping 3rd party IdP access-token

Question

Our situation:

• We are currently implementing a sensitive flow in which the resource owner gives us access to retrieve their data as a one-time operation through a trusted 3rd party identity-provider.
• Authentication happens through OIDC with the OAuth Authorization-code flow and PKCE.

What we want to achieve:

After a succesful client authentication at the IdP and we are provided with an access-token to retrieve the resource owners data; instead of exposing the IdP access-token directly to our front-end client, we would like to wrap the original IdP access-token to restrict resource access through our back-end client.

The question(s):

• Is it considered bad practice to extend/wrap an existing access-token?
• My idea is that we wrap the token by encrypting it using symmetric encryption (AES-256 CBC using a secured key and random salt at each encryption), so that only our back-end can decrypt the original access-token and fetch the resource owner-data. That way we can pass the wrapped token to our front-end, and restrict their resource retrieval access through our back-end. However I am uncertain if there is a better way of achieving this.

Note:

I have also considered if we should generate and store an entirely new reference access-token, but I would like to prevent that, as it transfers part of the security responsibilities to our service rather than the IdP. We want to rely on the expiration and security of the original IdP access-token.