Wouldn't advertisers just use the auth token as a cookie then?

Bingo. "Auth Token" simply becomes "Session ID", and the backend then tracks anything it wants as part of the session.

I don't see much of a solution other than making it a matter of policy, eg. Microsoft's "P3P" header. Otherwise authentication credentials need to be supplied with every request. Not a session id or token as a cookie, but the actual username and password being supplied with every request. Basically the old http basic auth, but with a more modern system to replace it.

I understand the core idea behind the EU's desire, but the fact is that cookies are absolutely required for login sessions, and it's impossible to allow users to opt out. The EU doesn't understand the tech behind the laws they are trying to enforce, and this is where it leads to. Absurdity.

Yes. However, there are some upsides: having an auth token which from the perspective of the browser is limited to auth, makes it more explicit when the browser is passing an auth token to the site: if the browser shows a "Log out" button, then you're providing that auth token--if you didn't log in to a website and suddenly you have the option to log out, that's very obviously weird. Of the perhaps 10 sites I visit on a regular basis, I only even have logins for 3 (email, Reddit, HN) so other sites would be slightly hampered in tracking me.

Only if you're logged in and only to the first party server, though.

That requires separate opt-in consent according to GDPR.

GDPR is absolutely not about cookies, it's not about having private information but about uses of it. You may have a legitimate need to collect some data - that auth token for login purposes, the customer's address for delivery, etc. That's fine, it allows you to collect and use that data for that purpose. But it does not mean that you're automatically allowed to use that login token or delivery address you have on your servers for other purposes such as selling or giving it to third party advertisers.