The issue was I had wrapped the add_filter calls inside an is_admin() check – which does not work with REST API. I suppose the check wasn't essential anyway, since upload attempts from unauthorized users should be rejected regardless of mime-type.