Maybe you’re not making the request correctly, because requests to that endpoint work perfectly fine here with just a Client-ID.
You can use just a Client-ID, but you will have a greatly reduced rate limit compared to using a Bearer token.
As for what tokens an endpoint wants, an App Access Token will work with all endpoints that don’t require a user scope, and in the places where it’s specifically required (such as the Get Webhook Subscriptions endpoint) it does say in the docs that it requires an App Access Token.
Like an App Access Token, a User Access Token can also be used any endpoint (except ones strictly limited to App Access Tokens) to gain an increased rate limit, and in the case of endpoints that require user authorization of a specific scope to access an endpoint then they will be limited to just User Access Tokens as they are the only ones which a user can grant a scope to in the first place.
It does, anything that says it requires a certain authorization scope implies that it requires a User Access Token. Endpoints that use the token to look up specific data based on that token implies that it’ll be a User Access Token when it’s an endpoint that returns user data, and in the case of the Webhook Subscription endpoint it explicitly states it needs an App Access Token. For all other endpoints where a token is a specific requirement, you can use either an App Access Token, a User Access Token, or a Client-ID (with its lower rate limits)