There are a couple of things worth pointing out. ID tokens are not meant to be continuously sent to an API as means to authorize requests; they are meant to give you information about the user that just completed an authentication process according to OpenID connect. If that authentication also happened as part of an OAuth2 authorization transaction then an access token would also be issued and this token would indeed be suitable to use for making authorized requested to the associated resource server (aka API) on behalf of the end-user.
In addition to that and in general the above flows are coordinated by a client application so it’s not the actual end-user making the raw requests, but instead it’s a client application that will obtain the access token and then make the requests to the API. If you have a client application that can be used to drive these requests then the exact flow that would be used will depend on the client application characteristics. See: Which OAuth 2.0 flow should I use?
On the other hand if you want to give direct access to the API for end-users the exact recommendation would depend on all the details. Among others, are those registered end-users developers or just tech-savvy? Do they authenticate only with database connections (custom username/password) or do they use other methods like social authentication?