PKCE protects the auth token from interception by making it so that only your code that started the flow can redeem it by proving they have the secret code_verifier on the redeem_token() call.

The code_challenge == sha256(code_verifier). You will share the code_challenge at the start of the flow.