You can think of app-tunnel like a mini one-tcp-port VPN.
The client side (the end user's PC side of the tunnel) connects to a loopback IP, so it must have privileges to create that socket listener in the operating system. The client side components will replace the special keywords %HOST% and %PORT% with the actual client-side (loopback) host and port that are selected as the tunnel is created.
The server side (the APM side of the tunnel) connects to whatever is defined in the APM resource, which can include the logged-in user's session variables. You can populate session variables with any data you like during session creation. How do you want to keep track of the individual user's app tunnel targets in your environment?