It seems the entire difference between a working request and a broken one is the cookie being passed up. The working one includes ApplicationGatewayAffinityCORS, ApplicationGatewayAffinity, login-token and cq-authoring-mode. The broken one only has ApplicationGatewayAffinityCORS. So I guess my quest...