we ended up using device flow oauth because, as noted above, it is not possible to launch a browser on the Databricks cluster from a notebook so you cannot use "externalBrowser" flow. It gives you a url and a code and you open the url in a new tab and then copy and paste the code and it gets a token in the notebook. It is awkward but does work for interactive session.

import msal
import logging
import json
import sys
 
config = {
    "client_id": dbutils.secrets.get("<your secret scope>", "Snowflake-Application-Id"),
    "authority": dbutils.secrets.get("<your ecret scope>", "Snowflake-Login-Authority-Url"),
    "scope": [dbutils.secrets.get("<your secret scope>", "Snowflake-Application-Scope")],
}
 
app = msal.PublicClientApplication(config["client_id"], authority=config["authority"])
 
result = None

if "snowflake_access_token" not in locals():
    flow = app.initiate_device_flow(scopes=config["scope"])

    if "user_code" not in flow:
        raise ValueError("Fail to create device flow. Err: %s" % json.dumps(flow, indent=4))
    print(flow["message"])
    sys.stdout.flush()
    
    result = app.acquire_token_by_device_flow(flow)
    snowflake_access_token = result["access_token"]

# Set Snowflake options below.
sfOptions = {
"sfURL" : "<your account>.snowflakecomputing.com",
"sfUser" : "<your user>",
"sfAuthenticator" : "oauth",
"sfToken" : snowflake_access_token,
"sfDatabase" : "",
"sfSchema" : "",
"sfWarehouse" : "<your warehouse>"
}

# Connect to Snowflake and build data frame.
df = spark.read.format("snowflake") \
.options(**sfOptions) \
.option("query", "select * from <some table>") \
.load()

# Output results of above query.
display(df)