Think I may have found it -- the issue was that the main app and extension had different bundle identifiers (com.orexresearch.EMPSecure versus com.orexresearch.EMPSecure.EMPFileProvider), and the Dropbox Swift toolkit was including the full bundle identifier in its search terms!
I also had to patch the Dropbox Swift toolkit so that it stored the token with the kSecAttrAccessGroup attribute set to the Keychain Access Group value, and the kSecUseDataProtectionKeychain attribute set to TRUE -- the documentation at https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps glosses over the fact that you need to set either kSecUseDataProtectionKeychain or kSecAttrSynchronizable for kSecAttrAccessGroup to work; that's only mentioned at https://developer.apple.com/documentation/security/ksecattraccessgroup .
jblum2000
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution