You used an App Access token that represents no user at all, it’s a key that represents only a ClientID.
Yes, the docs don’t explicit say it needs to be a User token, but it’s implied. Since the userID for the topic needs to match the userID of the token used.
Otherwise there is nothing to stop you generating a topic and capturing, say, Lirik’s subscribers over PubSub for example.
Anything that uses a scope, userID, or “protected data that needs a scope” will require a Token that represents a user.
It’s mentioned here:
In the description about token types
It’s touched on here:
This is an example request for Bits events. It listens to Bits events on channel 44322889. The authorization scope is specified when you generate the OAuth token using our authorization flow; see the Apps & Authentication Guide.