Proving some examples is a great idea 
I put up some examples of your specific use case here.
A few things to note:
We don’t have specific caveats for managing certificates (we can and should add this). The best workaround is to allowlist the GraphQL mutations that the token can be used for. In the case of adding certificates to an app, that’s the addCertificate mutation.
Allowlisting mutations, prevents the token from being used for anything but those mutations. So the add-cert token won’t be allowed to list certs. You’d want to create a separate app-ready-only token for that. Juggling multiple tokens is kind of a pain, but it works.
Lastly, it’s a bit hard to use flyctl with tokens that are super locked down because it tends to do a bit more than the bare minimum of what you asked for. In the example of flyctl certs add, it first calls the addCertificate mutation and then attempts to read the app. So, running flyctl certs add will result in an error message from flyctl even though the addCertificate mutation succeeded.