Explain it to me like I'm five.
Is it typical to use both machine to machine authentication alongside user-based authentication? Meaning: if I have a gateway or proxy which accepts user requests, and it verifies the JWT that come in with a user request prior to processing or forwarding the request to application servers is it normal, or a mis-use to expect to use a machine-to-machine JWT to ensure that requests arriving at the application servers originated from the gateway? And furthermore is it normal, or a mis-use to wrap, or nest the user's JWT within the machine-to-machine JWT when making the request to the application server?
Is it simply more typical to just have the gateway validate the JWT signature and claims and just forward it to the various application servers as needed?
Is the desire to nest JWTs in this fashion overkill, or some misuse / case of "you're holding it wrong"?
If you have a bunch of back end microservices being called via a gateway then it is usual for the original access token to be forwarded - this provides user context to your APIs so that they can authorize correctly.
A better use of the reverse proxy is to swap confidential tokens for those with rich claims - see the Phantom Token Approach for how this works.
Note also that it is recommended for each individual API to validate the JWT - this is often described as a Zero Trust Architecture, which protects against man in the middle exploits.