If you use an app role you can define policies that limit the usage of said app role to specific ip addresses, ec2 instance ids etc so that even if someone steals the key it will be useless unless they somehow root the server hosting your application (and if they do that they're getting the secret no matter what)
Even with a regular token the benefit is that if it is leaked (say, by a git commit etc) this by itself doesn't grant you access to the actual secret because it is stored in vault, and you'd need to have connectivity to the vault server(s) to make use of it.
Even with a regular token the benefit is that if it is leaked (say, by a git commit etc) this by itself doesn't grant you access to the actual secret because it is stored in vault, and you'd need to have connectivity to the vault server(s) to make use of it.