You can use the SURFconext OpenID Connect endpoint to get access_tokens which allow you to query the VOOT API on behalf of the user.
More information on SURFconext OpenID Connect can be found here: OpenID Connect reference
After you have configured your cliient in the SURFconext SP Dashboard, you can request the SURFconext support desk to configure your client to allow for the scope "groups" to be requested.
Once they have configured this, your client can request authorization using the scopes "groups" and "openid". The access_token you will then receive can be used as a Bearer token to query the VOOT API.
You can test your credentials and see the entire flow in our playground: https://oidc-playground.surfconext.nl/
Continue with VOOT description to read more about the API itself and how to query it with your access token.