Switching to a client certificate looks promising. I disabled http basic auth and enforced the presence of a valid client certificate. Seems to work for the rest calls as well. 
The Basic Auth prompt does not work with Service Workers, because of a problem in the specification and implementation of the Web Fetch API, see Allow more flexibility in how 401s/407s are handled? · Issue #1132 · whatwg/fetch · GitHub