Consul Secrets Engine: 401 (ACL support disabled)

Having some issues configuring the Consul Secrets Engine with Vault.

Consul Backend is not configured (using Raft). Consul is, however, configured for service registration, which works fine.

Policies and roles are configured according to docs.

$ vault read consul_nomad/roles/test
Key           Value
---           -----
lease         0
local         false
max_ttl       0s
policies      [test]
token_type    client
ttl           0s

$ consul acl policy read -name=test
ID:           abc-abc-abc-abc
Name:         test
Description:  test
key_prefix "test/" {
  policy = "write"


$ curl -H "X-Vault-Token: $VAULT_BOOTSTRAP_TOKEN" https://vault:8200/v1/consul_nomad/creds/test
{"errors":["Unexpected response code: 401 (ACL support disabled)"]}

All Consul clients and servers have datacenter and primary_datacenter set.
Nothing showing up in either consul or vault logs.

Vault version 1.4.1
Consul version 1.7.3