For the first question: You can use a microflow instead of a user role as authentication method, that verifies the tokens and returns a user object if valid, see: https://github.com/mendix/RestServices#securing-published-services, option 3.
For your second question: browsers cannot fire POST, PUT, DELETE requests out of the box, so actually these links should be disabled. See also: https://github.com/mendix/RestServices/issues/58
The browser doesn't understand custom protocols for security; it doesn't send tokens for you automagically. You have to use test tools like curl, postmen or any other thing you can fire arbitrarily http requests with, not a browser.
Thanks for your reaction.
But what I mend with the first question is, when I click on one of the REST service (in a browser) with the authentication method option 3, the browser asks for a username and password. I’ve tried to login with multiple accounts with different userroles and the name of the token as username and the token as password, but the browser keeps asking for a new username and password. I think it’s because the security of the service expects a header with token instead of an username and password?
Thanks for the second answer. It makes sense, because those services expect some data to execute the service.