u have to enable the admin services of the identity Server so that the AM can use a WS of the IS to validate the access token:
Accessibility of this service is by default disabled. You need to go to Identity_Server_HOME/repository/conf/carbon.xml and set the value false on following element as follows:
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
Also u have to insert a custom handler in the API manager through the GUI, section Main -> ESB -> Source View, this because the default handler tries to validate the access token internally in the key manager of the API manager.
U can find the procedure here https://docs.wso2.org/display/AM160/Writing+a+Custom+Authentication+Handler