That should work as long as no authorization element in web.config gets in the way. Or IOW use the AuthorizeAttribute instead.
But that's a general problem with cookie based authentication for Web APIs because now you are opening up yourself to CSRF attacks. What you really should do is separate UI and APIs and treat both clients as "external" with token based authentication. But that's of course a big architectural change (though in the right direction).