For URL encoded requests, an example has been given where the authorization header is used. This is repeated in the next three examples.

My inference: The access token MUST be sent as an Authorization header.

The template from micropub.rocks states the following:

[ ] The client sends the access token in the HTTP Authorization header.
[ ] The client sends the access token in the post body for x-www-form-urlencoded requests.

My inference: The access token may be sent in either way, but for URL encoded requests, it MUST use the post body. For all other methods of form submission, it MUST be included in the headers.

Lastly, the access_token property is reserved for both URL encoded and form data requests:

A few POST body property names are reserved when requests are sent as x-www-form-urlencoded or multipart/form-data.

• access_token - the OAuth Bearer token authenticating the request (the access token may be sent in an HTTP Authorization header or this form parameter)

My inference: it MAY be sent in either the headers or the post body, and this is true for BOTH URL encoded requests as well as form data requests. The server MUST look at both headers and post body to get an access token.

As you can see, there is potential for a lot of confusion and this should be clearly laid out in the spec itself.