Webhook API only accessible with account token?

I have been trying to mitigate this issue where a webhook becomes invalid with an API call to refresh the webhook. Reason: When using n8n, you have a production webhook and a test webhook for development. The test webhook becomes unavailable when not testing, and thus invalid. The same goes with production workflows when you deactivate them.

This just as a background.

However, I came across the issue that a base/app API access token (eyKHK... from /api/v2.1/dtable/app-access-token/) works just fine with everything in the base. However, the same token does not work on e.g. GET /api/v2.1/workspace/1/dtable/my-base-name/webhooks/. However, an account-based token works.

This makes no sense to me, because the webhook API calls are strictly restricted to the base, as the URL (including workspace and base name) shows. My main goal: Avoid using user/password auth within any client app like n8n.