According to documentation:
“The prefix that should be stripped before decoding the token. For example, for “Authorization: Bearer ”, prefix=“Bearer ” with a space at the end. If the header doesn’t have this exact prefix, it is considerred invalid.”
jwtheader prefix should discard invalid prefix. This is not the case when Authentication policy is applied on workload.