ActiveDirectory shouldn't affect the token service at all, just how accounts are created/maintained on FME Server. Rather than the FME server admin creating accounts for new users, they can import the user/group from AD.
To generate a token for a specific account you need to be logged in to FMEServer as that account, or use the REST API Token Manager.
When you create a repository you need to define the permissions for others. That should be done on a role level. webapi users Run Workspace, Read/Run access to specific repositories, and probably access to specific topics, whereas authors would have download/publish rights on the repository as well. You would use AD to assign specific people/groups to those roles.