How should a token endpoint respond to invalid requests?

[Zegnat]

Mintoken uses error codes taken from RFC 6750: OAuth 2.0 Bearer Token Usage, 3.1. Error Codes.

An HTTP 401 status code with the invalid_token error is used whenever a faulty bearer token is send as part of the IndieAuth Access Token Verification. Example:

php-mintoken/endpoint.php

Lines 196 to 198 in 998e1d3

	header('HTTP/1.1 401 Unauthorized');
	header('WWW-Authenticate: Bearer, error="invalid_token", error_description="The access token is unknown"');
	exit();

But when a faulty POST request is made, I am not sure which standard to follow. RFC 6750 also features invalid_request:

   invalid_request
         The request is missing a required parameter, includes an
         unsupported parameter or parameter value, repeats the same
         parameter, uses more than one method for including an access
         token, or is otherwise malformed.  The resource server SHOULD
         respond with the HTTP 400 (Bad Request) status code.

Does it make sense to send a HTTP 400 status code, and only put the error in the WWW-Authenticate? That doesn’t feel right. Should a token endpoint respond with a JSON body instead, following RFC 6749: OAuth 2.0, 5.2. Error Response? But then only parameter mistakes return JSON.