Hi Ilya,
We seem to have figured out a workaround. For some reason, the authorizationHeader value gets put into an encrypted variable upon deployment due to a 'security improvement' that was implemented by Microsoft. However, this only happens when a single auth header value is present. Adding another auth header with a nonsense value allows you to successfully deploy the Rest LS with auth headers intact.
E.g.:
Leads to...
No headers.
But this:
Leads to retained headers!
Still eager for Microsoft to fix this issue, so we don't have to insert nonsense values in our auth headers as a workaround.
Hope this works for your situation as well!