How to configure test environment for authenticated Keycloak API tests without 401 error?

[Invop]

Question: How to correctly configure tests for Keycloak authentication?

I'm having an issue running authenticated API endpoint tests with Keycloak. My configuration seems correct, but tests receive a 401 Unauthorized, while using curl or Scalar works fine for the same user credentials and endpoint.

Current configuration:

// Adding Keycloak test container and parameters
var keycloak = builder.AddKeycloak("keycloak", 8080)
                      .WithDataVolume()
                      .WithRealmImport("./realms");

var geminiApiKey = builder.AddParameter("GeminiApiKey", secret: true);

var api = builder.AddProject<Projects.Prickle_Api>("api")
    .WithUrlForEndpoint("https", e =>
    {
        e.DisplayText = "Scalar";
        e.Url += "/scalar";
    })
    .WithEnvironment("GEMINI_API_KEY", geminiApiKey)
    .WithReference(keycloak).WaitFor(keycloak)
    .WithReference(prickleDb).WaitFor(prickleDb);

// Configuring authentication
private static IServiceCollection AddAuthenticationInternal(
    this IServiceCollection services,
    IConfiguration configuration,
    bool requireHttpsMetadata = false)
{
    var realm = "prickle";
    services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
            })
            .AddKeycloakJwtBearer(
                "keycloak",
                realm,
                options =>
                {
                    options.TokenValidationParameters.ValidAudiences = ["web-api", "account"];
                    options.RequireHttpsMetadata = requireHttpsMetadata;
                });
    services.AddHttpContextAccessor();
    services.AddScoped<IUserContext, UserContext>();

    return services;
}

// Test helpers for creating authed HttpClients
protected async Task<HttpClient> CreateHttpClientAsync(string resourceName, string? endpointName = null, string username = "bob", string? password = null)
{
    var client = AppHostFactory.App.CreateHttpClient(resourceName, endpointName, useHttpClientFactory: false);
    var token = await GetTokenAsync(username, password ?? username);
    client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
    return client;
}
    private async Task<string> GetTokenAsync(string username, string password)
    {
        using var httpclient = AppHostFactory.App.CreateHttpClient("keycloak", "http");

        var tokenEndpoint = $"realms/{RealmName}/protocol/openid-connect/token";

        var tokenRequest = new FormUrlEncodedContent(
        [
            new KeyValuePair<string, string>("grant_type", "password"),
            new KeyValuePair<string, string>("client_id", PublicClientId),
            new KeyValuePair<string, string>("username", username),
            new KeyValuePair<string, string>("password", password),
        ]);

        var authorizationResponse = await httpclient.PostAsync(tokenEndpoint, tokenRequest);
.....

I use CreateHttpClientAsync in tests to call an endpoint as an authenticated user, but for every request I get HTTP 401. If I take the same user and call via curl or through Scalar UI, authentication works and the endpoint responds as expected.

Any help or best practices for configuring this scenario test would be appreciated.