Whereas the api_password can be placed in the URL (like in your example), the Long Lived Access Token goes in the Request Header.
Authorization: Bearer ey62s9A64etcetcetcblablabla
Example:
The goal is to make an Android phone report its battery level and power status to Home Assistant via an HTTP Sensor and an HTTP Binary Sensor, respectively.
MacroDroid is an Android automation app like Tasker. It only lets you do an HTTP GET (not HTTP POST) and doesn’t allow you to define a Request Header. Therefore you can’t use it with the token-based authorization system. However, it supports Tasker plugins like HTTP Request Shortcuts which does support HTTP POST and custom Request Headers. Using the combination of MacroDroid with the HTTP Shortcuts plugin, I made it login to Home Assistant with an access token and report battery level and power status.
Another automation app is Automate. It natively supports HTTP POST and custom Request Headers. Therefore, without employing any plugins, I made it login to Home Assistant with a token and report battery and power.
If whatever you’re using doesn’t let you define a Request Header, to hold the token, then you’ve got a problem.
EDIT
Here’s an example using curl. You’ll notice it performs an HTTP POST and contains two Request Headers, one has the token and the other indicates the body is in JSON format.
curl -X POST -H "Authorization: Bearer joxODUTMjQ0NjYA5fQ.3J2sSvlNGB87MgI9AkBvJQtm1ng" \
-H "Content-Type: application/json" \
-d '{"state": "off"}' \
http://YourServerName:8123/api/states/binary_sensor.phone_power