This should be clarified. The “APIs documented here” should specifically state that it is referring to the API endpoints listed on THIS page: /admin
This can be seen in the last example on the page:
curl 'https://<your-backend>/admin' \ -H 'X-Auth-Token: <your-token>' \ -H 'Content-Type: application/json' \ --data-binary '{"query":"{ getGQLSchema { schema } }"}'
I believe this wording is due to conflicting changes where multiple endpoints have been combined into the admin endpoint. I think @acarey or @damian might be the right people to tag to review this.
If you are specifically needing to add API token access to the /graphql endpoint then you should look at the @auth directive. If you have a use case for blocking all access to the /graphql endpoint beyond what is capable with @auth, then this might be able to be turned into a feature request instead.