In answer to my own question, I have found the following -
The 'official node' (node-red-node-fitbit (node) - Node-RED) does not seem to want to authenticate. it looks like it is old (last release says nearly 12 years) and FitBit have updated their authentication methods. Maintainer is listed as @dceejay but that may be as it is also part of a wider set of flows.
There is a contrib node (node-red-contrib-fitbit (node) - Node-RED) but again has not had any updates recently. It may work, but I could not get the right callback URL.
However, there is a fork of the contrib node (GitHub - inglevir/node-red-contrib-fitbit) which does work and has had some recent updates to it.
You do need to set your Node-RED instance up using https, but other than that the authentication worked first time and it usefully provides the correct callback URL.
Is there any appetite to get a 'core' node working well and develop the data recovered from the API? My JS is not up to it, but happy to test .
I'd also like to write data to FitBit as well.
The forked node does what I need right now (which was to get the Battery Level) so I can trigger some reminders to charge/take off charge which was my primary driver at the start of this.
[edit]
After more investigations, it is clear these nodes are designed to work with an old API that only probably still works as it is a legacy format. Take a list of activities (API Docs Get Activity Log List) the API docs suggest the URL should be of a format such as;
https://api.fitbit.com/1/user/-/activities/list.json?afterDate=2019-01-01&sort=asc&offset=0&limit=2
The forked node is generating a URL like (ignore the distance parameter)
https://api.fitbit.com/1/user/-/activities/distance/date/2021-12-22/7d.json
I suspect changing the format might be relatively easy if I understood enough JS. I think probably the nodes need an extensive update to match the API.