I used git bisect to track this down. Our server mainly handles basic-auth protected image uploads through a CGI. All the clients are using NSURLSession to connect to the CGI. After the 401 reply NGINX is sending the RST_STREAM (as the images may be quite large and the upload continues) but the NSURLSession and its subcomponents are not re-trying with an authorized requst. Instead they are failing with an error.
As I can patch the sources and build my own version as a work-around, I would like to send you an heads up. Maybe this is an issue with all browsers on macOS/iOS that are using the NSURLSession subsystem.
Also you may consider adding a configuration option for the RST_STREAM handling, so that the user/administrator can decide whether most of its web-clients properly support the RST_STREAM.