Of course, everyone can do what they think is right 
In a first-party scenario, you can choose to send an ID token to call an API, albeit with some potential risk.
In a third-party or delegated authorization scenario (the one for which OAuth was originally born), this is strongly discouraged for several reasons that I tried to explain in the article. Among these reasons:
- the ID token does not contain authorization information (scopes) about what the application can do on behalf of the user
- the user has not given consent to the application to use the ID token for that purpose
If your API needs the user’s information to make authorization decisions, your access token should provide it. For example, if your access token is in JWT format, you can provide additional claims.
After all, this is the reason behind the JWT Profile for OAuth 2.0 Access Tokens specification.