Thanks, that makes sense to me.
I saw here that you are allowed to replace the client ID with the app access token, but the same wasn’t mentioned for the user access tokens above.
App access tokens get client credentials (not user credentials). […] Client credentials also may be used in place of client ID headers to securely identify your application.
However, each example here seems to only use the Auhorization header, except the multiple-purpose endpoint GET /users which ultimately confused me enough to make me open this thread.
Still getting internal server errors when requesting with PUT correctly though, so I assume that the API is not yet producation-ready on weekends, haha.