The problem might be related to the currently-broken (imho) implementation of app-tokens, as shown in issue #2581. The bottom line is that when you change your normal password, all app-tokens are immediately invalid. (This goes against my understanding of app-tokens, and how they behave on other sites like github, gitlab, etc.)
PR 9485 addresses this but is slated for NC14, and so far there has been resistance to backport it to NC13 (or further). Until then (it might be a while), this design-feature might negate most benefits of using app-tokens.