You're correct; authorization_token is the only grant type supported by HubSpot. The existing OAuth flow is still the authorization method of choice for a backend service; HubSpot's OAuth specification follows the "Authorization Code Flow", found here:
Is this still the case? I'm wanting to have a server sync data to HubSpot but don't want the credentials to be linked to a user that has to refresh them with any sort of regularity. I do this with several other systems via OAuth2 client_credentials and was expecting to be able to do that here?