"Nesting" (overlapping networks) requires proxy-arp and therefore SHOULD be avoided at all costs. No enterprise router will allow such a broken configuration -- each interface/subnet must be completely independent, which means out in the real world, where real IP addresses are routed, this method of "conservation" cannot be used. (aka: nonsense) [*]
It SHOULD not be attempted by anyone not thoroughly versed in networking. (i.e. if you haven't been designing, setting up, and maintaining large, complex networks for a decade or more, you shouldn't even be talking about this type of damage.)
(Full disclosure)
I'm doing this exact thing in an OpenStack development environment right now. 192.168.xx.0/24 has a /29 behind one of the machines in the larger /24. That machine has to have a number of specific, non-default setting changed to pretend to be hosts within the /29 slice. (aka proxy-arp) Yes, I can add a route for the /29 on the router, but the machines in the /24 still won't be able to talk to the /29 because their larger netmask means they're link-local; I'd have to add that /29 route to all the machines in the /24 for them to work.
All-0 and All-1
Those concepts haven't had any tangible meaning in modern networking for decades. Nothing you're likely to run into on the internet makes any assumptions about network size -- everything is classless now. Yes, there used to be issues using an all-0 (or 1) subnet -- say 199.72.0.0/24 (the first subnet from 199.72.0.0/16) (true story) -- because some random system on the internet (AIX) applied class logic to the range. Nothing does that today. So, with 199.72.0.0/16, the address range is 0.0 to 255.255 -- with the those too addresses being the /16's network and broadcast addresses. Those are always the /16's network and broadcast, even if a /24 were nested with it somewhere.
The active netmask ALWAYS defines the network and broadcast. Yes, that means a nested construct has multiple broadcast addresses, but due to different netmasks, nodes within different zones (sub-network, parent-network, ...) listen to different addresses. At layer-2 (ethernet), all hosts in the same domain (eg. vlan) see the same broadcasts but the host will filter out, at layer-3, the "foreign" broadcasts, unless they're sent to the "all nodes" broadcast address of 255.255.255.255.
[*] ISPs wanting to conserve space like this do it via bridging, but that has it's own problems.
[*] I warned my idiot ("we know more than you") coworkers not to use 199.72.0.0/24, but they did it anyway -- putting the webdev desktops in 0.0/25. A day later came the "What. Did. I. Tell. You." after complaints from every single person about random places on the internet they simply couldn't get. That was in 1997.
I think your confusion starts here:
Yet, both of these /24 networks would still be part of that one larger
/23 network.
There is no longer a /23 network, because you have divided it into two /24s. You can summarize the two /24s as a /23, but the /23 subnet no longer exists as a subnet.
In other words, you don't have some hosts with a /23 mask, and others with a /24 mask. All your hosts will be on one or the other of the /24s.
You have also discovered a (small) drawback to subnetting: as you divide networks into smaller and smaller subnets, you lose space to network and broadcast addresses. If you take a /24 and divide it into /30's, you will lose half of the available address space.
Best Answer
Yes, you are right. Although no one does this in the practical day to day world, it is easier to see this if you convert the subnet in question into binary digits and then remember that the broadcast address is simply the case with all 1s and the network address with all zeroes.