Thanks Francis ...

Your prods have pointed me in the right direction. My initial problem was not being able to include a parameter in the auth_request and that is where the examples brought up the proxy_pass 'solution' ... of cause what I was missing is that the request for the images are already independent requests, so there is no problem simply calling php-fpm directly.

The 'localhost' question is a red herring as php-fpm simply uses the correct root while my proxy_pass setup was using the 'default' localhost settings ... I'm getting my head around the various twists and turns but finding examples that cross the various boundaries is difficult. I will run a crib sheet once I've tidied up what I do have, but my less than optimal setup is working on three sites currently.