As explained here, sensitive data in the URL query part (such as a secret API token) is primarily an issue if the URL is accessed directly in the browser and therefore visible in the URL bar as well as stored in the browser history.
But API requests are usually performed in the background of an app or via a background AJAX request and therefore you're much less likely to run into a situation where the plain API request URL is presented to a user. Therefore the dangers of sensitive data in the URL are negligible for an API.
Also note that over HTTPS the full HTTP request is encrypted, including the query part. Only the hostname (api.instagram.com
) would be exposed to a MITM as a side effect of SNI.