The rule of thumb is that any endpoint that requires a scope, or is reading/writing private data will need a user token. App Access Tokens only work for public data (except for extensions reading subscriber data)
Since you need permission from the content owner to access that content. Subscribers for example, the subscribers endpoint also notes that the broadcaster_id in the query string needs to match the one in the token.
You wanna update a broadcasters channel data? Well that needs a scope and permission from content owner to update their channel etc)
So an app access token doesn’t work for logging into chat as it doesn’t represent a user, and to login to chat you need to be a user.
The users endpont accepts any kind of token, but if you specify a user token with the email scope you get the email returned too, you can also call the users endpoint with no ID/username in the query string and get the user for that token.
It’s somewhat straight forward, theres just some endpoints with alternative behaviour.