What you mention as concepts and skills are - in your example - equivalent.
Authentication and Authorization are concepts, but so are databases and REST APIs. Designing a secure role-based auth system is a skill. Similarly, designing a REST API which confers with the JSON:API standard is a skill. You get the point.
With that said, I would highly recommend you to take a project and then apply these concepts (on the top of my head):
- Role-based or tier-based authentication and authorization;
- Data structures based on volatility vs. immutability;
- Server-Side and client-side caching;
- Message Queues and their more-applied form: delayed response mechanisms;
- Payment systems (this is a tough one)