Should the callback URI point to my global game server which manages basically everything?
But how would the server know which client to trust judging by that API key it's given?

Or should the callback URI point back to the client?
Although this might be insecure as well.

You can refer to the discussion here: 

Basically the idea is:

• If your game is run via the app, and you've correctly set up your manifest, you'll get a JWT token via an environment variable
  • Send that to your server
  • Your server does  the `/me` API request
  • Now your server knows that this IP/session corresponds to that itch.io player
• If your game is *not* run via the app, listen on http://localhost/5678 (or any port) and open the oauth login page in the user's browser
  • If you can't listen on localhost on the port you registered, specify `urn:ietf:wg:oauth:2.0:oob` as a redirect URI instead, this will allow them to copy/paste the code
  • Once you get the code back - that's an API key, send it to your server
  • Your server does the `/me` API request
  • Now your server knows that this IP/session corresponds to that itch.io player

Hopefully that clears things up a bit! We want to write guides for how to achieve this in the near future, as the API develops.

But the API key is sent in the URL fragment, which isn't seen serverside, so how am I supposed to overcome that issue?

Nevermind, I've found this page:
https://itch.io/docs/api/oauth