@richard
This could be related to the HTTP client library automatically following the redirect in the metadata request and sending the the original authorisation header? The following post provides some further explanation.
Let me know if this helps.
Thanks,
Mark.