Restricting API token access: read-only tokens

Hello, I’ve tried urirestrict, setrole, and providing a user ID when creating app tokens, but nothing seems to be working for ensuring that an app token will only generate sessions with read-only privileges. Would someone be able to recommend a path forward? I’m specifically looking for a way to have read-only access to captions and media entries, and preferably for only a subset of categories in an account. Thank you kindly for any advice.