401 unauthorised when proxy enabled

When proxying is enabled, 401 unauthorised is returned whenever an un-authenticated API call is made to our site (ie: from a console in the browser when viewing the site and obtaining a verification token). I can see it in the logs, but not in security, so I don’t think it’s WAF. When proxy is disabled, no issues at all.