Thanks for the question: in the scenario, we are protecting our API, so we use our token. The purpose of the social one is just to validate social identity against social API.

We could use the social token to protect our API, but:

• Every time we should know where the social token come from (Facebook, Google, Twitter, ecc…), to validate it.
• It is slower to call social API to validate it, every time the token is spent on our API.
• It is harder to manage the token lifecycle (expiration, revocation, renewal, ecc…) for the two above reasons

I hope this helps.