The following traces explain what to look for in an Identity Injection policy that injects an authorization header:
When a User Is Authenticated
When a User Is Not Authenticated