Not really an enquiry, rather for documentation purposes in case similar problems appear. Here is the story.
I've migrated a Moodle 3.1 to a new server and upgraded it to 3.5 in one step to find that in the new site the admin couldn't login. No debug messages on the browser, just the username and password kept vanishing when I click Login. The web server error log recorded a "Invalid Login Token" at each login. Interestingly non-admin users could log in without a problem.
Initially I suspected a block on the front page, which only the admin has - as this discussion suggests: Lots of invalid login token errors in the logs. Specially since the original site used the theme Afterburner. But couldn't find anything special with the admin's front page.
The next suspicion was a HTTP vs. HTTPS collision in the login tokens. I was trying to get the new site running under HTTP whereas the original site was HTTPS. My problem was that since the domain remains the same, I switch between the two servers with my local DNS in /etc/hosts, but that way couldn't get a Let's Encrypt certificate. Then decided otherwise: changed the public DNS temporarily, switched the new site to HTTPS with a Let's Encrype certificate. The admin login problem immediately vanished!