I have never tried to access a Sling Servlet in this manner. You can try and see if it works. I have successfully used HTTP API code to invoke a servlet - which works fine.
You can try to test your code at 1st by hard-coding authentication. Then once that works - you can try to figure out a better way to get authentication information. Maybe place it in a deep node in the JCR which would be secure.
Are you making the jcr query within servlet to get the node data and create json ? if so, I would recommend to move the the logic of querying the node data and getting a json to a service and your servlet should just call that service method to respond to the http request.
If you have this solution in place, then you can refer the same service and call the respective method within your workflow process aswell.
Basically, I would keep any logical processing in a service and make servlet as a delegate class. This would keep your implementation clean and make it more re-usable.