How REST API protects itself against an access token which was not generated by an allowed OAuth Access Token URL?
"Authorization: Bear MTqvlvbdm73SIsN2PEhsetOwEHW439N2"
"Authorization: Bear CAqvlvbdm73SIsN2PEhsetOwEHW439N2"
This is outside the scope of the Oauth protocol: see Section 1.5 of the specification and note that your question is step D. The document says:
Steps (C), (D), (E), and (F) are outside the scope of this specification, as described in Section 7.
The client accesses protected resources by presenting the access token to the resource server. The resource server MUST validate the access token and ensure that it has not expired and that its scope covers the requested resource. The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification but generally involve an interaction or coordination between the resource server and the authorization server.
However I note that it does not always need to be this way. For example, if your access token is a JWT, then the resource server should be able to verify without interacting with the authorization server.
The reason why it is outside the scope is because it depends upon your architecture. There are various ways that this can be implemented. For example, if the resource server and the access server share the same database, then they do not need to talk to each other.
