Last time I checked, SSH access worked for any repo that you have “normal” write access to - your personal namespace, and any organizations that you own/have team rights to.
Once the SSH Signature is set up, the only change that needs to be made is to have your remotes use SSH/git protocol (
email@example.com:ORG/repo.git) instead of the HTTPS URLs
The last time I checked, the one exception was for third-party repos. Team Members can actually push changes to a branch that is the source of an open Pull Request. Handy if you want to do a little manual cleanup before merging, or the automatic merge tools cannot handle the situation. Only a branch that is the source of an open Pull request can be pushed to in this fashion, and then only if the person who opened the PR did not disable it.
Last time I checked, these third-party branches still had to be pushed to through the HTTPS variant.
It does look, however, that the Tokens for HTTPS are more of “Set Up a Large, random password that is different from the password that is allowed to manage your account” than anything else. They do not seem to need to be regenerated regularly, and are orthagonal to 2FA.