Agreed! The get request query should not include the authorization bearer token since it's already set up in the resource page.
For troubleshooting purposes, it's helpful to Preview the query and then check that API Request tab as you've done in your second screenshot. Previewed queries aren't sanitized, so you can actually see what the ACCESS_TOKEN is evaluating to
For the resource page, is the body an array? I'm wondering if it should be {{http1.body.access_token}}