Hi,
we had similar issue and it costs me 2 days to find a solution 
And Finally here it is…
The problem is that we cannot handle URI inside the location because it is changed due to REWRITE Rules…
So then the solution was to set a varaible called self-service when a Powershell comes in and later use this env:
SetEnvIf User-Agent “.WindowsPowerShell.” self-service
and:
Require valid-user
Require env self-service
This means(as RequireAny is implcit) we required a valid-user OR a User-Agent which contains WindowsPowerShell( which is protected by api-key and this stuff handled outside apache)
# cat /etc/apache2/conf-enabled/icingaweb2.conf
Alias /icingaweb2 "/usr/share/icingaweb2/public"
<Directory "/usr/share/icingaweb2/public">
Options SymLinksIfOwnerMatch
AllowOverride None
Require all granted
SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /icingaweb2
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
</IfModule>
<IfModule !mod_rewrite.c>
DirectoryIndex error_norewrite.html
ErrorDocument 404 /icingaweb2/error_norewrite.html
</IfModule>
DirectoryIndex index.php
</Directory>
SetEnvIf User-Agent ".*WindowsPowerShell.*" self-service
<Location /icingaweb2>
Order allow,deny
Allow from all
AuthType openid-connect
Require valid-user
Require env self-service
SSLRequireSSL
SSLOptions +StdEnvVars
</Location>
#