Add header_upstream -Authorization to your proxy to the controller.
This will make sure Caddy doesn’t send that header at all, and the controller will therefore have no opportunity to throw a wobbly about it, if that is indeed what’s happening.
It just stops the header from being sent to the proxied server. It’s negligible. No real benefit or drawback, I’d say, outside of situations like this.