@mjg59 I imagine some of the pushback on TLS based solutions is that it is that getting it to work if you've e.g. decided to let Cloudflare MITM your connections or use some other service to terminate the TLS connections. If that frontend doesn't support the feature or doesn't pass through the relevant info, you're screwed.
I also wonder if the difficulties with OAuth 1.0 tilted people towards simple bearer tokens. I remember having a lot of difficulty with Apache normalising requests in ways that would break signatures by the time the application saw the request. It was bad enough to just recomend people use PLAINTEXT mode. That feels like it directly leads to OAuth 2.0 only defining bearer tokens at launch.