The authentication flows / grant types used don’t matter to the API, all that matters in the end is the token, which it needs to verify. The verification is based on signature of and claims within the token. That’s all that matters, not in which way the token has been requested.
This docs (and further linked pages) describe what standard claims to verify.
Luckily the SDKs and libraries available (which you can find at the bottom of page jwt.io), make such token verification easy due to available helper methods.
Is there anything in the token to differentiate how it was generated?
In a way, yes. With CCG, the sub
claim will be a client id in the form of:
"sub": "g3t8sYP8jvB0kHn005uF2kEA2lYAVGgZ@clients",
for example, while with ACF, it will be a user id. So, if a sub
is a client (application) id, it’s a hint that this token has been requested via CCG, but as said, the grant type doesn’t matter, simply base it on claims in the token.