It seems that Box no longer allows you to leave the client_id and client_secret fields blank (to use rclone's client) when setting up a box remote.
Instead, you need to log into the box developer site and create your own OAUTH2 custom application and use the client_id and client_secret for your custom app. Don't forget to use http://localhost:53682 for the redirect url.
When you published, existing tokens stopped working in box Enterprise until the administrator whitelists the app. Setting up a new remote gets the problem that the redirect url isn't https. The redirect may be ok if it is "localhost" vs "127.0.0.1" or vice versa or it may be that a published app has to use ssl regardless.
I any case, I suggest you update instructions to emphasize setting up your own custom app.