How Azure Service Principal (SPN) defines who can access the application?

Question

While going thru reams of documentation on Service Principals including many question threads here on stackoverflow, the literature claims that "Service principals define who can access the application, and what resources the application can access." for example this is from below Microsoft Docs https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-principal

While the later part of statement, "What resources application can access" is fairly clear and its the technical-user kind of use case of Service Principal, where and how the first part "Service principals define who can access the application" is implmented? Especially in Single tenant app registration.