Authentication is often viewed as a user-is-present activity, making authorisation obvious. But, users are encouraged to create API keys by many SaaS tools, and, these present real authorisation challenges.
Your CRM will allow any user to create this key, it will have full privilege as them, no multi-factor, no timeout. They will then paste it into e.g. Zapier, a tool in their home directory, whatever. From here, control becomes blurry.
Instead, consider an authentication proxy which enriches with this key. Each transaction is authenticated and authorised, and, the proxy then adds the API key it holds in escrow. This authenticating proxy can take care of reducing authorisation scope at the same time.