Understanding GitHub Apps authentication

Hello GitHub Community,
I am trying to understand how GitHub App authentication works and why I am seeing HTTP/2 401
“Bad credentials” on some but not all api functions.

I have setup an app, installed it to all my repositories, and have the appId and the secret key available. I create the JWT with the ruby example code from this guide:

Then I am trying to get all repos of an organization. Without JWT Token I get the public repos, with JWT token attached I get the error:

curl -i -H "Authorization: Bearer $JWT_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/orgs/<my-org>/repos

Error message:

HTTP/2 401 
server: GitHub.com
date: Wed, 20 Oct 2021 11:26:23 GMT
content-type: application/json; charset=utf-8
content-length: 90
x-github-media-type: github.v3; format=json
[...]
{
  "message": "Bad credentials",
  "documentation_url": "https://docs.github.com/rest"
}

However if I use the same syntax with this API method, I get valid data back with HTTP/2 200 response:

curl -i -H "Authorization: Bearer $JWT_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/repos/<my-org>/<my-repo>/installation

Both API methods are listed as “Works with GitHub Apps” in the REST reference page:

Long term goal is to create a GitHub App that retrieves the clone URL for all repositories in . If you know code snippets or open source projects as a starting point, this is welcome too.

Thanks, Martin