One thing we can try…
Add header_upstream -Authorization to your proxy to the controller.
This will make sure Caddy doesn’t send that header at all, and the controller will therefore have no opportunity to throw a wobbly about it, if that is indeed what’s happening.