What’s your Square application id? I should be able to look up that 400 bad request error.
As for the access token: the .env file is an example of how you can do it. Realistically, you can put it anywhere you choose, it should just be in a secure location (for example, you could store it in a database that only you have access to, and retrieve it when you need it). The warning about uploading means do not upload the file to public repositories (like GitHub) as anyone would be able to see your access token.