Thanks so much for taking the time to go through this Dylan.
I've figured out since that I could use the access token given out by the auth callback, so it all makes a bit more sense to me now. It was my lack of understanding of all involved parts that lead to my confusion, so again thank you for adding this information here.
That's right, and it is a bit confusing with essentially 2 parts of authentication:
1. Access Tokens (server side stored and used) - distributed to your app during the OAuth callback when the merchant accepts your auth scopes (the /api/auth/callback.js example in next-js-shopify-toolbox)
2. Session Tokens (browser side, JWT, generated by AppBridge) - distributed by Shopify's AppBridge, which requires the shopOrigin (aka shop name) and you pass to **your** API using axios. Behind the API on the server, it's up to you to find the corresponding Access Token given the shop's name from the Session Token.