When sending an OAuth request to index.php, it will be interpreted as a valid anonymous request:
$ curl -sS -H "Authorization: Bearer 0000" -o /dev/null -D - https://en.wikipedia.org/wiki/Main_Page HTTP/2 200 ...
(It will be anonymous even if the access token is valid.)
It'd probably probably be less confusing to respond with a HTTP 400 or 403.