REST API — 401 unauthorised

Hi all,

I am tearing my hair out here!
Trying to get order info and getting 401:

{
“code”: “woocommerce_rest_cannot_view”,
“message”: “Sorry, you cannot view this resource.”,
“data”: {
“status”: 401
}
}

I got it down to the fact authorization does not succeed (user is not logged in).
Here is what I did:
Legacy API enabled
Keys are generated and re-generated for admin user and another user with Shop Manager permission

I created test setup on same server with relatively “virgin” WooCommerce setup. I can use API with no problem.

I use Postman to simulate API calls and calls to working and non-working setups are same (except keys of course). So, it is not a server setup, but rather something on my site. Authorisation is Oath 1.0

When user is logged in as admin, I can use APIs via same browser and all works, so problem is definitely with authentication.

Caching plugins are disabled.

I tried to add to .htaccess:
RewriteRule ^index\.php$ – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

The difference I see between working and non-working calls are in returned headers:
Non-working: Cache-Control →no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Working: Cache-Control →no-cache, must-revalidate, max-age=0

Working also get two extra header tags:
Allow →GET, POST, PUT, PATCH, DELETE
Content-Encoding →gzip

Where exactly authentication is happening? I can put some debug code in to see what exactly happens. I tried to sprinkle some debug in class-wc-rest-authentication.php, but looks like none of the authorisation functions get called. in fact authenticate() is not being called, so seems WP doe snot even try to authorise user!

Any help will be greatly appreciated,
Thank you,
Rudolf