Ooh. I think you're right. I was testing more with charles and it seems like my re-run of the original request that caused the 401 actually still uses the old Auth. I replaced it with this

return response
        .request
        .newBuilder()
        .header("Authorization", "Bearer: ${appUserManager.authToken!!}")
        .build()

and we seem to be back in business. I thought it re-ran the request again, which would call all of my other interceptors again (which would have given the request the updated token) but it instead seems like it just runs that request identically to before. So with my change above, I think we're in a good spot.