This PR fixes a bug where missing Authorization headers in declarative endpoint syntax were incorrectly returning HTTP 400 (Bad Request) instead of the RFC-compliant HTTP 401 (Unauthorized) status code.

Closes #3235 /claim #3235