This happens when a HTTP client library automatically follows the redirect and sends the original Authorization header with the redirected request.
The solution is to prevent the HTTP client from following redirects, retrieve the Location header from the response, then create a new request to that URL without the Authorization header.
For example, in .Net you can do something like this:
string docID = "...";
string apiKey = "...";
string url = "https://document-api.companieshouse.gov.uk/document/" + docID + "/content";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
request.Headers["Authorization"] = "Basic " + Convert.ToBase64String(Encoding.Default.GetBytes(apiKey + ":"));
request.AllowAutoRedirect = false;
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
HttpWebRequest docRequest = (HttpWebRequest)WebRequest.Create(response.Headers["Location"]);
// ...