When building a REST-API, that is secured with tokens (JWT or something),
Should the token be included in the body or in the headers?

"Authorisation" header:

Authorization: Bearer AAAAAAAAAA...

headers. See @Sbiewald 's comment

Headers
Or in the case of websockets, a query parameter

@dan-pud no no no. No. No.

Query params are logged. Headers aren't.
In case of websockets use login/passcode headers (STOMP) or build your own auth solution exchanging secrets in the payload.

Do NOT pass your auth info in the first HTTP header (i.e. method_path_httpVersion)