=== 1) Can PHP see the Authorization header? ===
HTTP_AUTHORIZATION         : 
REDIRECT_HTTP_AUTHORIZATION: (empty)
getallheaders Authorization: 
?token= in URL             : (none)

=== 2) What token does the backend extract? ===
bearer_token() returned    : (null)

=== 3) Does that token match a valid user in the DB? ===
No token to check. If section 1 shows the header is empty everywhere,
the .htaccess fix is not active yet — that's the root cause.