The HTTP proxy sees that the user has been authenticated, but isn't sure whether the credentials should be forwarded—it doesn't know whether the ProxySG consumed them on this transaction or perhaps on an earlier transaction. It then chooses not to forward them to avoid leaking them to a third-party origin content server.
If the server were using basic credentials, you could forward them using the server.authenticate.basic gesture. However, that's not an option in this case since the client is presenting "Bearer" credentials.
The CPL policy "authenticate(no, upstream_authentication)" could be used in this case in order for the proxy to forward the client's credentials.