It doesn’t help that Microsoft has added the so called delegated permission rights for the AD apps. What this actually does I don’t know – because even if you tick it all the apps in the AD will still by default have access to your service. If you want to limit access to a specific app you have to do as follows.
Navigate to Enterprise applications in your AD settings.From there head to your service application and select yes on the user assignment required box. This part will actually make the service require user assignment, so if you try to obtain a token now via your client the service should return an error.