Hi Fre,
If you wanted to take advantage of shared HTTP caching then putting the user ID in the URL is valuable because it becomes part of the unique identifier of the resource. But considering you only want authorized users to get the settings then being able to store in a shared cache is likely not a concern.
Arguably, the user ID in the URL and the Authorization token are not redundant. You may be able to infer one from the other today, but will that always be the case? Just because a client presents an Authorization token, doesn’t necessarily mean that you will know who the user is.
There are certain other obscure benefits to uniquely identifying user specific content. Imagine creating a secondary account (maybe for testing purposes). With unique identifiers you could build a mechanism where you can copy settings from one user to another, assuming you have credentials for both accounts.
TL;DR; There are some benefits to including the user ID but it is not essential.
Darrel