And I’ll try to make my answer clearer
In the context of this transaction, the rule/action is an M2M app. You can think of it as a serverless function that needs to authenticate with your backend, that just so happens to be hosted by Auth0, and just so happens to be run during a user authentication request from your SPA. But it requires a separate auth transaction between two machines.
In this case, your Auth0 Tenant is the auth server that issues the token, the rule/action is the M2M app that is requesting the token, and your backend is the resource server that will validate the token.
The better way is to use M2M/Client credentials. The drawback; there is a cost associated with M2M tokens and Actions doesn’t have a caching mechanism at the moment, which means you will need one M2M token per call (rules does, but they will become a legacy feature).
Here is an FAQ I wrote about the topic of authenticating an API call from a rule (the same principles apply whether or not you are using an Action, Rule, or Hook etc.):