https://vimeo.com/upload/select_thumb URL is used to set thumbnails to your Vimeo video. https://vimeo.com/upload/select_thumb URL request is composed of 3 parameter clip_id, token, and time. clip_id parameter is used to select a video you want to get a thumbnail, the token is an anti-CSRF token and time parameter is the time frame of the video you selected.
I changed the value of clip_id parameter to another video id to test some authorization flaw, it seems, it works because I got HTTP/1.1 200 OK and I short JSON response that contains a URL, like this one
To confirm this is an authorization flaw, I make an another account and upload a private video on that account and get the clip_id then make an HTTP request (https://vimeo.com/upload/select_thumb) to my attacker account using that clip_id. as a result, I got some thumbnails on a private video.
To get the whole video just iterate the time parameter!