If both positive & negative use cases are working fine on publish server directly, then you may want to check Apache Sling Referrer Filter and CSRF configuration on publish server that would play a role when you request via dispatcher.Could you also validate token.json is allowed in dispatcher or sh...