Reason you are not seeing secure variables available sometimes is probably becase they are not allowed in Pull requests for security reasons. Some details in the bottom of this part of documentation. There is a UI-only option Enable secure variables in Pull Requests from the same repository only for public projects and both Enable secure variables in all Pull Requests and Enable secure variables in Pull Requests from the same repository onlyfor private projects.
GitHub token is not repository specific, at least per my knowledge.
Encryption of secure variable is specific to AppVeyoraccount and unrelated to GitHub. As long as project belong to the account, and build is not a PR, build can decrypt the token.
Encrypting variable in UI will works too, as long as your role allows to update project setting. Common mistake here is double-encryption. If you use UI and "lock", paste clear text variable and then press "lock". Do not encrypt it with https://ci.appveyor.com/tools/encrypt in this case.