Have you seen https://cloud.google.com/iap/docs/authentication-howto ? Unfortunately we don't have sample code for PHP yet, but that explains the basic concepts. The "Robot Parade" section of https://cloudplatform.googleblog.com/2017/04/Getting-started-with-Cloud-Identity-Aware-Proxy.html may be helpful as well.
Unfortunately, IAP doesn't support access tokens for authentication, so you're going to need to get a service-account-signed JWT, and it needs to have a special "target_audience" claim. Is $client->config['signing_key'] set? If so, you have access to the service account's private key, and can... take a look at https://github.com/google/google-auth-library-php/blob/master/src/OAuth2.php#L417 and if you can get the credentials object you can do something like that, add the target_audience claim.
If you don't have access to the private key, which I think is only the case if you're running on GCE and using a service account from the metadata server, you'll have to use the IAM signBlob API: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob . This requires some tricky setup on the GCE instance, https://cloud.google.com/iap/docs/authentication-howto documents it.
Sorry, I know this is all more complicated than it should be! I'm not a PHP expert, but I hope this at least helps.
-- Matthew, Identity-Aware Proxy engineer
