Using service account credentials for querying emails from external Google Workspace

I'm developing a feature that reads emails from other workspaces for auditing purpose, and want to know how I can make use of service account for accessing emails. I'll explain my approach first, and articulate more on the question.

1. Created service account from Google Cloud Credentials, downloaded key file for later use.
2. From advanced settings of service account, enabled Google Workspace Marketplace-compatible OAuth Client.
3. Created another workspace for testing purpose. From its admin console > security > access and data control > api controls > domain wide delegation, registered the client ID of service account I created, with gmail.readonly scope.
4. Tested impersonating a test workspace user with service account credential (key file in json format), and could retrieve the user's email.

And Here is my question.

After registering my App to google workspace marketplace, (which I haven't done yet) and after the workspace admin downloading and consenting with the scops of the app, with what do I make api calls? Is it an access token from OAuth flow when asking for the app's scope, or a same old json key file I created for service account?

with what do I make api calls? Is it an access token from OAuth flow when asking for the app's scope, or a same old json key file I created for service account?

The same service account with the same private key, if it works for your test domain it will work when installed from the marketplace. You only need to find (or ask) the email addresses of the users you want to audit.