I am a bit confused as to when ActionResult actually gets evaluated.
ActionResult get evaluated (not flushed to HTTP response or client) after IResultFilter.OnResultExecuting and before IResultFilter.OnResultExecuted
Now what you are demonstrating with Authorize attribute is Action filter and it enable developer to alter/change action result within Action Filter life cycle. Here in Authorize attribute if user is not authenticated then it is changing action result to HttpUnauthorizedResult. Now what you are saying that
something converts that into a 401 header
but actually it is HttpUnauthorizedResult which set response header 401 while instantiating ActionResult object. Once ActionResult is instantiated it will be flushed to HTTP response pipeline.