The forgejo team reports:
The scope of application tokens was not verified when writing
containers or Conan packages. This is of no consequence when the
user associated with the application token does not have write
access to packages. If the user has write access to packages, such
a token can be used to write containers and Conan packages. An
application token that was used to write containers or Conan
packages without the package:write scope will now fail with an
unauthorized error. It must be re-created to include the
package:write scope.