I can’t give you specific details, only a general idea of the new system and a little guess-work.
Authorization is now implemented using policies. There is a little bit of naming-convention magic that decides which policy to run at any given moment.
A typical call might be something like:
$identity->can('edit', $article);
Details of this example call
In this example call the $identity is the authenticated user’s identity object. This basic object gets wrapped and expanded by the Authorization plugin.
The policy class that gets called is determined by the second argument; in this expample $article.
A specific Policy Class will be called for each class type you pass (more details here).
There are a couple of other general policy checks beyond can (which will return a boolean). canResult will return an Policy Result Object. scope will operate on and modify query objects.
I expect you will need to map your old v2 ACL checks to these new policy checks.
If I recall correctly, isAuthorized() returned a boolean. So your isAuthorized() calls will need to be changed to can calls as illustrated above.
The logic that determined access from your ACL arrays will need to be handled by your new can policies. Or possibly, the can can delegate back to the older auth check logic.
Possibly this brief overview will help?