As opposed to the XWiki authentication when navigating in browser (through XWikiServlet), the authentication done by the REST servlet doesn't look at the cookies if an Authorization header is present in the request.
This can create issues when trying to use XWiki behind an apache which has already some basic authentication set, where the basic authorization users don't match xwiki users. When a request from an authenticated user will come in, it will have both authorization headers and cookies. REST service processes the authorization headers and, if user doesn't match an xwiki user, returns 401. It would check cookies only if the authorization header would not be present.
Note that this behaviour is not necessarily wrong, it's only an issue because xwiki servlet behaves otherwise and they should be consistent (all XWiki standard actions behind an apache with basic authentication don't cause any kind of problems as long as the client sends the appropriate cookies).