I have inconsistent behaviour when updating a Databricks repo from Azure DevOps vs running the same command in Postman.

In Postman, I can successfully PATCH the repo using a PAT token from Databricks:

ee285999-93b6-45b2-af8c-be7b4a930d35 (1567×437) (microsoft.com)

However, running the pipeline in Azure DevOps I'm using a Generic Service Connection to store the URL:

3b8c0c41-179e-4464-8c48-5fc11cf4489a (511×774) (microsoft.com)

The pipeline (which I usually store in a secret variable) attempts to mimic the postman call using this generic service provider:

stages: 
  - stage: deploy_production
    jobs:
    - deployment: deploy_prod_databricks
      displayName: Deploy Production Databricks
      environment: Debug
      pool: server
      strategy:
        runOnce:
          deploy:
            steps:          
            - task: InvokeRESTAPI@1
              displayName: 'Update deployment repo'
              inputs:
                connectionType: 'connectedServiceName'
                serviceConnection: 'Databricks (Prod)'
                method: 'PATCH'
                headers: |
                  {
                  "Accept":"application/json", 
                  "Authorization": "Bearer dapid956<snip>7b7"
                  }
                body: |
                  {
                  "branch": "releases/2023/02"
                  }

However this generates an incorrect access token error:

898b01eb-1e09-446d-89c1-064ae7630117 (1113×233) (microsoft.com)

I've tried re-issuing tokens, but get the same error. I have confirmed that IP access limits are not enabled on the workspace.

I have ascertained that the token itself is fine because it works in Postman. I have mirror pipelines in my Dev/Test environments which work OK.

Flummoxed what's happening here, it's as if it's not using the token I'm passing it at all. Is there a way to debug what headers are being sent, or any other ideas?