It is difficult to give specifics of attack paths with the limited information you have provided, however The documentation you cite states:
Vulnerability
Any account with the Allow log on locally user right can log on to the console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.
Applications are usually run using a Service account, as you pointed out in your question. These accounts usually have very restricted privileges that enable them to run the application and that is it. By enabling this feature, these accounts would be able to run an interactive shell (i.e. the Command Prompt). Using the command prompt, as stated, can allow a user to download and run malicious software.
There are a multitude of ways that a malicious actor can get a shell using an application, so without any specifics (other then you have a Windows Environment), it would be hard to comment on attack vectors.
One example could be: if the application in question has an upload feature, that then hosts the document on the web-server, an attacker could upload a malicious aspx page that gives them a shell (see example here). Then using this shell they could download and install malware, if the "Allow log on locally" permission is granted to that service account.
