By default, Apache doesn't allow the Authentication header that is used for bearer tokens. To make it work, I had to do this:
RewriteCond %{HTTP:Authorization} ^(.*)
# RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
I had to use the SetEnvIf line, but some people report that they had to use the RewriteRule line.