Hello,
There are a number questions and not all are OIN specific. I would recommend creating a support case for the requirements for OIN applications. If you have not already I suggest going through the below links for OIN OIDC applications,
For how does your application know which Okta Org to match up a request for? The most popular way would be to use different subdomains for each Okta Org that installs your application. Other possibilities could be based of email domain, but this requires each Org to only allow a specific set of mail domains that they have full control over.
Client id/secrets will be generated when a customer installs the application from the OIN. They would supply this to you to setup in your application. The doc links I provided go over mandatory documentation for OIN applications.
There would never be a situation where end users are assigned an API Token to make API calls into Okta. A users needs to be an admin to create a token. The /api/v1/users/me does not accept an access_token, but needs a valid Okta session (sid cookie). This would be better discussed in a support case however.
For OIDC apps to be setup on the dashboard this needs to be done on an app by app basis. Note simply setting up an a icon on the dashboard does not make it functional. There are two possible ways to setup SSO for an OIDC application from the dashboard. See Okta Help Center (Lightning)