Currently applinks throws a CredentialsRequiredException when you don't have an access token.
However, if you do have an access token, but it's revoked or expired, we know that until we have made the request and you look at the oauth-specific HTTP response headers. By this time we can no longer throw a CredentialsRequiredException, because SAL's Request.execute() method doesn't declare it (nor would you want to, because the caller still needs to be able to access the response object in its handler).
As a solution to this, we shall subclass SAL's Request interface and make our ApplicationLinksRequestFactory.createAuthenticatedRequest() method return our ApplicationLinkRequest object. This class/interface has an extra overloaded execute(ApplicationLinkResponseHandler handler) method. In turn, this new ApplicationLinkResponseHandler interface has a second callback method that lets Applinks OAuth provider communicate the problem of a rejected token.