They are counted separately, but the limits are applied to portals, not request types. Any portal is limited to 40k requests and 10 requests/second, regardless of the authentication method.
One difference between using a hapikey or an access_token is that you can’t take advantage of the API call logging feature in your developer portal when using a hapikey. Also, certain APIs (i.e. timeline, webhooks, CRM extensions) require an access_token and cannot be accessed by using a hapikey. Otherwise, there is no difference between using a hapikey vs. an access_token.