“Authorization has been denied for this request” when accessing Web API deployed in Azure

Following on from this question: AADSTS50013: Assertion audience claim does not match the required value

I've now successfully got the web apps running with this security model: SPA application using adal.js/adal_angular.js to authenticate via AAD. Returned token is passed to web api [API1] that runs on the same machine. That web api gets a new token on behalf of the user to access a downstream API [API2].

The downstream api gets a new token on behalf of the user to access another downstream API [API3].

Now, when I have [API2] running locally, this is all working.
However, when I deploy that web app to my Azure subscription, and attempt to call it (without changing anything else other than the url in the REST API call from [API1]), I get the following:

{"Message":"Authorization has been denied for this request."}

There doesn't appear to be any other error details returned or in the Fiddler trace. Comparing the jwt token payloads between the call that works and the one that doesn't, doesn't reveal much. They appear the same other than the expiry claims and the "aio" (not sure what that is).

The only change is the URL of the deployed web app (from http://localhost:8080/ to http://mywebappname.azurewebsites.net/)

Note that the web app is deployed into a different AD tenant to the one where the app registrations and [API3] are located, but I didn't think this mattered.

Any thoughts out there on what I might need to change when I deploy, or how to troubleshoot this further?

Update: Request works with Curl

Making the same request using curl is working:

curl -H "Authorization: Bearer ey..." http://mywebapi.azurewebsites.net/api/resource

So the issue appears to be how I'm making the request in my C# code? Comparing the headers in Fiddler, I don't see any difference. This is the Fiddler trace from curl that is working:

GET http://mywebapi.azurewebsites.net/api/resource HTTP/1.1
Host: mywebapi.azurewebsites.net
User-Agent: curl/7.46.0
Accept: */*
Connection: Keep-Alive
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJ<snip>

This is the Fiddler trace from my code that is not working:

GET http://mywebapi.azurewebsites.net/api/resource HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJ<snip>
Accept: */*
User-Agent: RestSharp/100.0.0.0
Host: mywebapi.azurewebsites.net
Accept-Encoding: gzip, deflate

Here is the request from C#:

var restClient = new RestClient(serviceUrl) { Timeout = timeout};
var restRequest = new RestRequest(apiEndpoint, Method.GET);
var bearerToken = $"Bearer {securityToken}";
restRequest.AddParameter("Authorization", bearerToken, ParameterType.HttpHeader);
var response = restClient.Execute(restRequest);

On the Azure web site logs, I can see that the authentication type for the successful curl request is "JWT", however for the failed requests from my code they are "anonymous". Somehow the header must be being stripped despite it showing up correctly in the Fiddler trace? Is this possible?