Those pages you linked to explain the best way to do authz with APIs.
I’m not sure what you mean by reverse-proxy vs. server.
If you are talking about many different APIs all fronted by an API Gateway, it is very common to validate the access token at the gateway and not in the API itself.
There are tradeoffs on this. For a single API, with respect to the access token, a gateway doesn’t provide additional security and is an additional point of failure. However, the gateway may provide other security features that are desirable.
John