OK, reading my own question after i solved this problem is kind of embarrassing, given how easy the solution is. I fell in the X-Y problem trap.
Iʼm doing OAuth2 here. That means different consumers of the API (api.example.com) can, and actually should have different access tokens, all obtained from the authorisation server (auth.example.com).
Iʼm glad this question didnʼt get too much exposure 😁