Found the answer here and an example handler here.
You need to set the InnerHandler you want the request passed on to.
Simply add this to your constructor:
public class WebApiAuthenticationHandler : DelegatingHandler
{
public WebApiAuthenticationHandler(HttpConfiguration httpConfiguration)
{
InnerHandler = new HttpControllerDispatcher(httpConfiguration);
}
And pass in a reference to GlobalConfiguration when creating a new instance:
routes.MapHttpRoute("DefaultApi", "api/{controller}/{id}", new { id = RouteParameter.Optional }, null, WebApiAuthenticationHandler(GlobalConfiguration.Configuration));