This is because of a deeply annoying default in Apache, where for "security reasons" the underlying script doesn't get to see auth details that might already be handled by Apache. At some point they added the CGIPassAuth directive[1] but all kinds of other workarounds are floating around on the internet.

[1]: https://httpd.apache.org/docs/2.4/en/mod/core.html#cgipassau...