Fix: 405 Method Not Allowed instead of 401 with JWT bearer in ASP.NET Core
A protected endpoint returning 405 instead of 401 almost always means routing rejected the HTTP verb before auth ran, or a cookie scheme stole the challenge. Here is how to tell which.