My quote was from https://dev.twitch.tv/docs/authentication/#types-of-tokens
I think the reasoning behind why the endpoint doesn’t specify the type of token required is because it’s implied by the fact that it has a required scope, as only a User Access Token can have that scope. A user (in this case, the owner of the extensions) has to grant permission to the app to access that endpoint. App tokens can’t be used on behalf of a user, that’s not what they are for and I think part of the confusion comes from people jumping right into the API reference with minimal understanding of OAuth, or not reading the authentication docs thoroughly.
If you think about it, if an app access token was required you’d never be able to grant 3rd parties access to your extension analytics data as you’d be the only one capable of generating an App Access Token for your extensions.
I agree that the error message you receive isn’t the most informative when it comes to pointing out your issue, but technically it is correct as it’s checking the tokens validity and while it is a valid token it doesn’t have the required scope (because that scope isn’t appropriate for App Access Tokens).