Update:
I have narrowed this down to our authentication gem (Clerk) which has Rack middleware to intercept any request with a Bearer token and return 401 immediately if it doesn’t recognise it.
This is why the requests are not getting to the router logs before they are returned.
Took me a while to find that, as I assumed user authentication logic would be at the ApplicationController level. For anyone else landing here, it looks like you just need to add /forest/* as an excluded route in the Clerk config.
Thanks for the help in the meantime!