This distinction has irritated me for 30 years, and still trips people up. First off, there is a clear distinction between Authentication (AuthN) and Authorization (AuthZ). AuthN is answering the question of "Who are you?" AuthZ answers the question of "What are you allowed to do?" It is necessary to answer the question of AuthN before approaching the question of AuthZ, because you have to know who the user is before deciding what they can do.

"401 Unauthorized" is supposedly stating that the question of AuthN has not been answered, and "403 Forbidden" answers the AuthZ question negatively. What is confusing is that the text "Unauthorized" is incorrect, and has been for 30+ years. Should be "Not Authenticated". But many apps out there are probably looking for the text (instead of just the code), and would break if they changed it now.

Hopefully this clears up the confusing for anyone looking at the response and thinking, "Is that status right?" It is... and it isn't.