An easy way to test your approuter is using the user-api-service. For that add the following route to your xs-app.json
{
"source": "^/user-api(.*)",
"target": "$1",
"service": "sap-approuter-userapi"
}
And after deployment, open the application router URL and add /user-api/currentUser to it. You should see your Email and other User details. This is testing that the application router is actually getting the security token from the UAA instance.