They differ with these 3
allowDebug="true"
allowHTTP="true"
sessionTokenOnly="true"
Since I am passing the session and security tokens over HTTPS, it should be accepted.
I did notice that the public security zone has a proxy configured with a localhost IP mask: proxy="127.0.0.1, ::1"
Does this mean that only request from the local server AC is on can make requests through the public zone? If that is true, this is why my requests are being denied.