Regardless of which API token you use, make sure that the "Access the Content Delivery API" or "Access the Content Delivery API in Preview Mode" flags are enabled, otherwise the API token will not be able to make calls to the CDA.
If you want to restrict GraphQL access only to a selection of your models, you can generate a custom API token and assign to it a custom role.
If an API token can only access specific models, any other field will be completely hidden from the GraphQL schema and response, eliminating any potential information exposure.
On projects created before January 8, 2024 — and that have not explicitly activated the "Improved GraphQL Security" update — the behavior will be slightly different: you can read all the details in the related product update.