Thanks a lot everyone for the feedback! We decided to proceed with the proposed solution. The feedback didn’t reveal any fundamental issues with the suggested approach.
We also understand that support for JSM Portal Users is very important for this feature to be useful for the developers. We will work on User Impersonation logic and JSM User Management systems in parallel. We will use the ticket to keep you up to date on the progress: 
The same applies to the following issues - several teams will work on these issues in parallel with the core impersonation functionality:
CONFCLOUD-80208 - Forge: Support unlicensed Confluence users (Guests and anonymous) Under Consideration
FRGE-1777: API endpoints not working when impersonated by JSM customersNeeds Triage
AC-1014: Grant “Browse Users” permission to add-ons requesting READ scopeNew
We have plans to add Third Party Auth impersonation down the track, however, we don’t have specific timeline at the moment:
Finally, information about rate limits and impersonation token TTLs will be provided later along with the documentation update.