Thanks for the simplified report, I’m able to see the same behavior. So basically you are expecting a 401 response right, even with handle_errors used?
If so, then the current config won’t do that, and I can explain why. The basicauth directive is returning an error, so handle_errors is then invoked, and because it’s not a 404 error, it simply runs the file_server directive, which looks for an index file when a directory is required. There is no index file I presume, so it returns a 404.
In hindsight, we could probably do better than return a 200 when handling an error in the error handler 
But I think that’s a separate issue.
Does that answer your question?