I was having the same issue in .NET 9 Blazor and worked around it by avoiding the @attribute and using <AuthorizeView> to wrap the page instead. This seems to have allowed the authorization logic to kick in and hydrate by current authorization state properly [we happened to be using Okta/OIDC].

Gave 401 on direct access:

@attribute [Authorize(Policy="FooPolicy")]

Showed appropriate page:

<AuthorizeView Policy="FooPolicy">
  <Authorized>
    ... existing page content...
  </Authorized>
  <NotAuthorized>
    <h3>Access Denied</h3>
  </NotAuthorized>
</AuthorizeView>