I appreciate the suggestion but it doesn't look like this is possible to solve with these modules. The authentication part happens as a sub-request, and the response provided by sub request influences how the gRPC part is handled at the top level. Unless I can figure out some way to pass variables from the sub request and handle things differently... I don't know.
If I return 200, the request proceeds as if it were authorized. This is bad.
If I return 401 and try to set the headers/trailers, I don't think it affects the top level request/response. I always get grpc.CANCELLED at the client.