Error logging in to secure domain setup

I am developing my own Kubernetes deployment of Jitsi, and it is working great as long as I have authentication disabled in Jicofo. However, I am having trouble getting the secure domain setup working. In prosody.cfg.lua I have a main domain and guest domain set up:

VirtualHost "jitsi"
    authentication = "internal_hashed"

    c2s_require_encryption = false
    lobby_muc = "lobby.jitsi"
    main_muc = "muc.jitsi"
    ssl = {
        key = "/etc/prosody/certs/jitsi.key";
        certificate = "/etc/prosody/certs/jitsi.crt";
    }

    modules_enabled = {
        "bosh";
        "websocket";
        "pubsub";
        "ping";
        "conference_duration";
        "muc_lobby_rooms";
    }

VirtualHost "guest.jitsi"
    authentication = "anonymous"
    c2s_require_encryption = false

and then in jicofo.conf, I have the following in the authentication block:

  authentication: {
    enabled = true
    type = XMPP
    login-url = "jitsi"
  }

I then create a user on the main domain:

prosodyctl register tim jitsi mypassword

When I attempt to create a call, I am prompted to log in. I can see that I logged in successfully in the prosody log:

bosh920413e3-791e-4427-a715-a8dcbb237e51  info	Authenticated as tim@jitsi

However the login prompt hangs on “obtaining session-id” and I can see the following error in the browser console:

authenticationError: "not-authorized"
message: "not authorized user domain"

This error seems to originate here, suggesting that jicofo is not able to obtain my user’s session, but there is no error printed in the jicofo log. I can make calls just fine if I change authenticated to enabled = false in jicofo.conf, and it appears that my focus and brewery users are able to authenticate just fine internally.

Been fighting with this for a few days - please let me know if you think of anything I should try! The service versions are:

prosody 1.0.5415-1
jicofo 1.0-813-1

from stable channel