It's OAuth. Each user that allows access to the app will have an individual token only valid for that app and only for that user's account. Either the developer or the user can revoke that token at any time.
All the dev has to do is to not create/send a token to the user until they subscribe, then revoke that user's token if the subscription expires.
If the app developer doesn't have an API key in the app though then what power does Reddit have to stop them? Reddit would have to ban each individual API key that people generated and put in the app, no?
And what you're going to find too is that as the sub price goes up, the users who use it the least (generating less API costs) get priced out first. In other words, the average cost per user increases because the users who are willing to pay more are the ones who are generating more costs. If 75% of users stop using it because of the subscription cost, the API costs won't fall by anywhere close to 75%.
Right now nobody even knows which ones will be blocked or not because it's hardly visible at the moment. It's going to be an absolute clusterfuck once people start realizing their subreddits are improperly categorized as NSFW and are completely blocked from the API.
If it's the same as the mobile website, then new/small subreddits are blocked too for being "unreviewed".