It depends on the app type/auth flow used. The statement above is a bit generic, as it tries to summarize things. You can, and should validate tokens when "you" are representing the resource API. Quote:
Only in specific scenarios should applications validate a token:
- Web APIs must validate access tokens sent to them by a client. They must only accept tokens containing one of their AppId URIs as the
aud
claim.- Web apps must validate ID tokens sent to them by using the user's browser in the hybrid flow, before allowing access to a user's data or establishing a session.
APIs and web applications must only validate tokens that have an
aud
claim that matches the application. Other resources may have custom token validation rules. For example, you can't validate tokens for Microsoft Graph according to these rules due to their proprietary format. Validating and accepting tokens meant for another resource is an example of the confused deputy problem.
There are in fact multiple documents that guide you over the process of validating an access token: https://learn.microsoft.com/en-us/entra/identity-platform/claims-validation
Even outside of these scenarios, decoding a token can provide useful troubleshooting information, but it's not something that you should rely on (not always possible, and "your" validation has zero effect on the actual validation from the resource API).