The following traces explain what to look for in an Identity Injection policy that injects an authorization header:
When the User Has Authenticated
When the User Has Not Authenticated