This is probably an anti bot measure, the web app is probably detecting that you are using a WebDriver. Also, the x-hsci-auth-token header would need to be unique for each resource, so capturing a specific instance is not useful and you would need to go through the web app code and find how it is being generated.