The difference is that you can have multiple API keys for the same account.
- You can revoke API keys from a lost device without changing your password.
- You can grant a different service a restricted API key for limited access.
- API keys can expire, forcing password expiry is very use unfriendly.
The password is the "root secret" of the account. It is (mostly) unrevokable and doesn't expire. It is a huge risk to have the password lying around. So it is better to quickly exchange the password for a less risky token, then you can wipe the password. Then all clients don't need to store the password. The user just needs to provide it once then lower-value secrets can be used for future authentication.