I noticed that I was sending the user credentials again when making the 'authenticated' request. This was causing the server to ignore the token and return a 401 unauthorised response.
So the fix was to the remove the following line from my 'authenticated request'.
httpGet.addHeader(BasicScheme.authenticate(new UsernamePasswordCredentials("test-user@example.com", "Password!"), "UTF-8", false));
To be clear, this line is still necessary for the first request.