Assuming an external system obtained an access once a day, then calling the protected APIs 1,000 times on the same day. How would this M2M tokens be calculated?
It depends on the context of access.
If an external application is calling a protected API on behalf of a user - as in to access user resources; arguably, the most common use case in Auth0 (see here for more details) - then the Access Token generated would fall into the 7,500 MAU category. I.e. user authentication would be required, and that would come out of the MAU quota. In the MAU quota scenario, you can essentially issue as many Access Tokens as is required for a user within the month he/she authenticates. For some more detailed information regarding the MAU calculation see the post here.
If, however, some backend service or task is obtaining an Access Token in order to make an API call independent of any user context - typically referred to as Client Credentials grant/flow in OAuth 2 - then this will come out of M2M quota.
Assuming an external system obtained an access once a day, then calling the protected APIs 1,000 times on the same day. How would this M2M tokens be calculated?
With M2M, each and every token issued by Auth0 will count as 1 against quota. So, in your example, it would take 1000 days to exhaust the entire M2M quota. Because M2M tokens are almost exclusively issued to confidential clients - i.e. non-public, protected backend environments - the generally recommended strategy is indeed to issue a longer-lived Access Token (e.g. 24 hours) and then reuse it until it expires.
In neither of the above scenarios does the number of calls made to the protected API count against quota - only the process of issuing Access Tokens counts.
Hope this helps 