To the extent that that's true, it would be in the opposite direction? Auth tokens are meant to be used by the User Agent to effect the wishes of user, often encode permissions the user has, and are used with public APIs like those intended for web browsers. API keys are usually for private communication like server to server.

The usual expectation is you don't care what agent the user is running. You just care about what they're doing with it (permissions, rate limits, etc.).