Turns out my problem was within postman.

For some reason I had two Authorization headers, one with correct value and another one empty. here how it was

Whenever I send a request with double Authorization header to NGINX it returns a 400 response.

It only occurs in websocket collections, HTTP collections runs fine with double Auth headers, probable because Postman overrides with the default one. Maybe it doesn't do the same for Websocket collections?