Configure user token access in the server, and enable "Require user tokens for repository authentication". Then run a Maven build against the server. Artifact downloads will fail with 401 even if a valid token is used.
The reason for this is that Maven by default sends requests with non-preemptive authentication, and will only send credentials in response to a 401 response with a challenge header. The challenge header is missing in the response. Nexus should be setting something like: