Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.
We previously an...
Updated Sep 01, 2022
Version 3.0
Blog Post
Application Access Policies work for Exchange Web Services now with Exchange Online / 365, and you can control by restricting to only specific mailboxes, or allow all except specific mailboxes.
However from my investigations I could not see a way to limit access within a mailbox, e.g. if I want to restrict a mailbox to read-only. While there are Mail.Read / Calendar.Read etc permissions, they don't appear to work with EWS. I still needed to grant full_access_as_app permission for my application else EWS wouldn't work at all, but the Application Access Policies then limited access to specific mailboxes, but still full access to those mailboxes.
That's using Application Permissions.
You can use Delegate Permissions, in which case you're signing in as a specific user and permissions are the mailbox permissions for that user I would assume. That requires OAuth with consent screen sign-in, which is no use for the application I'm working on as it's an unattended service application.