Will the APIKey work if belongs to a user that's disabled or locked?

NO.

The APIKey will work only when the user that it belongs to is fully functional and in good standing. Disabled or Locked users can not operate their Api Keys. When the user is functional, enabled, and in good standing the APIKey will work. In that condition the APIKey can either be used for Full Access or Read-Only Access.

If SSO is not enabled in the Rally Subscription, then the APIKey will not work if the password is expired for the associated user.  The password will need to be reset in order for the APIKey to work again.

When SSO is enabled the password policy in the subscription settings will be ignored (except for those users on the exceptions list as expected)

Full Access will equal the capabilities under this key to those of its user based on his/her permissions.
The read-Only key will not allow creating or modifying objects.

You can learn more on the reasons to consider generating Read-Only access key here:
https://knowledge.broadcom.com/external/article?articleId=98242

More on Api Keys: https://techdocs.broadcom.com/us/en/ca-enterprise-software/agile-development-and-management/rally-platform-ca-agile-central/rally/administration/it-administration/how-users-authenticate/using-rally-application-manager/external-api-keys.html
Api Keys FAQ: https://knowledge.broadcom.com/external/article?articleId=10161