How does vault authorize the /identity/oidc/provider/:name/authorize endpoint?

I am trying to implement a typical web app with application server (RP) backend and Vault as the Authorization Endpoint (OP). See Authentication Request for the scenario I am implementing. The web app is redirected to the Vault /identity/oidc/provider/:name/authorize endpoint. When the web app GETs that endpoint, it receives a 403 instead of a redirect back to the application server. The sample request in the documentation shows an X-Vault-Token being supplied. How is a web app expected to supply that header? What am I missing?