This is more of an FYI or a bug report as I've solved my issue, however...

We have Atlassian Access and are piloting using Azure AD for our IdP.  Some of our users (myself included) are authenticating using Azure AD, but most are still using Atlassian for their IdP.

One of my users couldn't get his API token to authenticate.  I tried mine - "Works for me!".

Then, it occurred to me that he wasn't using Azure AD, so I added him to the policy for Azure AD and updated the app in Azure AD.

He was then able to generate an API token and it worked fine.

So, moral of the story: if you're using Atlassian Access, you may run into issues with API tokens for users who use Atlassian as the IdP.

P.S. The user in question had tried generating new tokens a couple of times to no avail.  The errors received varied from 401 - user/password not allowed to 403 - not authorized.