Of course you need identity (FoAz uses JWTs from authN solutions - can also be your VM (if it produces a JWT as it's magic link process)) , but Authorization is another step on top.
e.g. You are Dave@customer.io (or some other verified identity), I know you, but how many SMS messages should I allow you to send via Vonage or Twilio when you click the button in the app? Managing that quota is an example of authorization.
That doesn't change the fact that they're separate but related concerns. Authentication is enforcing that someone is who they say they are, and authorisation is checking that that person is allowed to access a secure resource. Looks like FoAz just solves the authorisation problem, allowing you to use another authentication provider.