To give more context: It is a workflow that runs on item creation/modified, and should copy the attachment file from this item to a different doc library. The web requests calls that I have and fail are: 

• _api/web/GetFileByServerRelativeUrl - fails with 404 not found when “Require Use Remote Interfaces permission” is unchecked but if “Require Use Remote Interfaces permission” is checked it returns 200 and it works fine
• _api/web/GetFileById('GUID')/copyto(strnewurl='relativeUrlForDifferentList',boverwrite=true) - fails with 403 when “Require Use Remote Interfaces permission” is checked

Before those calls that fail I also have other web request calls in the workflow that work correctly like: 

• /_api/lists(guid'a3df637d-e6f5-416c-b803-e7c1af0e247e')/Items(3404)/AttachmentFiles - to get the attachment from current list item
• /_api/Web/GetFolderByServerRelativeUrl('relativeUrlForFolderInList')

Further debugging shows that the 403 error message actually is “The security validation for this page is invalid.Click Back in your Web browser, refresh the page, and try your operation again”.

The formdigest is present in the request and it stills throws this error so I really do not know why this is happening. What is the difference when anonymous is enabled in the site collection? 

if you were to wrap the entire workflow in an Action Set and then use the Run as workflow Owner option, does that help anything? 

 

you’d still have to do some extra work to capture *who* is running the workflow but I just wanna see if this would at least solve the status issue 

I already tried this with no luck. I also initiated the workflow with the administrator account that is also the sp farm admin with same results.

I managed to resolve the issue by adding the following header to the form digest web request call: “X-RequestForceAuthentication” : “true”.

Hopefully this will help also others facing this issue.