Have you tried setting the CSRF header?
https://docs.mendix.com/refguide/published-rest-service/#32-authentication-methods
Before you get the 401 arent you getting asked for a basic authentication alert in the browser?What i noticed in the past is, if the Active option of the service is checked then it asks you to fetch the login info and trigger the call (as if being a non mendix application) - which never works. (this is something to think about)
if you just enable Username instead of Active then it asks for the same username/password popup and this time with valid creds it will work - as expected ofcourse
if you enable both Username and Active - it simply takes the current login session info and make you do the call.
FYi i tred the same scenario of your using a JS Action(for demo) and i can see the same behavior.