You’re conflating roles/capabilities and application passwords. This problem has nothing to do with application passwords.
Application passwords are a way of authenticating who, that you are who you say you are. permission_callback isn’t interested in that though, just because you are indeed verified as you, does not mean you have permission to do what you’re trying to do.
For example, you could use an application password on a user with the subscriber role to create a post, but subscribers cannot create posts. It’s like having a pass backstage, but it’s not a VIP pass.
So __return_false is telling it that you are not allowed to use that endpoint. Not because you are no longer logged in, or because you used an application password, but because you do not have the ability in this API. By using __return_false, nobody has permission to use this regardless of their role or how they accessed the REST API endpoint.
To make this work, you need to instead pass a function that returns true when Source is the user, or when a user of that role/capability uses the API. Much like only users who can edit posts are able to edit posts with the API. __return_false says that nobody is able to use this.