It seems the entire difference between a working request and a broken one is the cookie being passed up.
The working one includes ApplicationGatewayAffinityCORS, ApplicationGatewayAffinity, login-token and cq-authoring-mode.
The broken one only has ApplicationGatewayAffinityCORS.
So I guess my question is: How do I get the login-token (and other fields) from AEM? Can I force xhr to somehow use the default browser values for this?