AZURE Apim policy to call a external api to validate a authorization token

Question

Hi I have a requirement where i will send a authorization header to a api configured in apim. Below is my curl command

curl --location 'https://apidevdm.apim.ai/mobile/master/health'
--header 'Authorization: MAC id=6cd10251-ba74-4caf-b85a-16b9eaab9189, nonce=3dc81775-a6ea-4d74-8625-09bb6f5ad36c, ts=1701233645851, httpMethod=post, path=/accessauthorization/storeId, mac=6tqTBERKwPDiAO/sxThTiPosQ/Ta5xh4lzFmk9kUu1s='

My requirement is that i need to write a policy where i need to pass this Authorization as a header to another service which will validate it and send a response. If the token is valid i need to route to the url else throw an error. Below is the policy i tried

<policies>
    <inbound>
        <!-- Log a trace statement to indicate hitting the external service hmac for authentication -->
        <trace source="debug">@("Sending request to external service hmac for authentication")</trace>
        <!-- Log the Authorization Header for verification -->
        <trace source="debug">@("Authorization Header: " + context.Request.Headers.GetValueOrDefault("Authorization", ""))</trace>
        <!-- Check if Authorization header is present -->
        <choose>
            <when condition="@(string.IsNullOrEmpty(context.Request.Headers.GetValueOrDefault("Authorization", "")))">
                <!-- Return a 401 status if Authorization header is missing -->
                <return-response>
                    <set-status code="401" reason="Unauthorized" />
                    <set-header name="WWW-Authenticate" exists-action="override">
                        <value>Bearer error="missing_token"</value>
                    </set-header>
                </return-response>
            </when>
            <otherwise>
                <!-- Check if Authorization header has MAC scheme -->
                <choose>
                    <when condition="@(context.Request.Headers.GetValueOrDefault("Authorization", "").StartsWith("MAC"))">
                        <!-- Forward the request to another service -->
                        <send-request mode="new" response-variable-name="backendResponse" timeout="20" ignore-error="false">
                            <set-url>http://cloudapp.azure.com:3012/api/auth/validateToken</set-url>
                            <set-method>GET</set-method>
                            <set-header name="Content-Type" exists-action="override">
                                <value>application/json</value>
                            </set-header>
                            <!-- Pass the Authorization header to the external service -->
                            <set-header name="Authorization" exists-action="override">
                                <value>@(context.Request.Headers.GetValueOrDefault("Authorization", ""))</value>
                            </set-header>
                        </send-request>
                    </when>
                    <otherwise>
                        <!-- Return a 401 status if Authorization header has an unsupported scheme -->
                        <return-response>
                            <set-status code="401" reason="Unauthorized" />
                            <set-header name="WWW-Authenticate" exists-action="override">
                                <value>Bearer error="unsupported_scheme"</value>
                            </set-header>
                        </return-response>
                    </otherwise>
                </choose>
            </otherwise>
        </choose>
        <base />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <!-- Log the status code for debugging purposes -->
        <trace source="debug">@("Attempting to retrieve backend response status code.")</trace>
        <!-- Check if the response object and StatusCode property are available -->
        <choose>
            <when condition="@(context.Response != null && context.Response.StatusCode != null)">
                <!-- Log the status code for debugging purposes -->
                <trace source="debug">@("Backend response status code: " + context.Response.StatusCode)</trace>
                <!-- Check if the backend response is a 401 Unauthorized -->
                <choose>
                    <when condition="@(context.Response.StatusCode == 401)">
                        <!-- Log the status code for debugging purposes -->
                        <trace source="debug">@("Backend response status code is 401. Returning Unauthorized.")</trace>
                        <!-- Return a 401 status with an appropriate message -->
                        <return-response>
                            <set-status code="401" reason="Unauthorized" />
                            <set-header name="WWW-Authenticate" exists-action="override">
                                <value>Bearer error="invalid_token"</value>
                            </set-header>
                        </return-response>
                    </when>
                    <otherwise>
                        <!-- Log the status code for debugging purposes -->
                        <trace source="debug">@("Backend response status code is not 401.")</trace>
                        <!-- Continue with other conditions if needed -->
                    </otherwise>
                </choose>
            </when>
            <otherwise>
                <!-- Log a warning if StatusCode is not available -->
                <trace source="warning">@("Backend response does not contain StatusCode property.")</trace>
                <!-- Continue with other conditions if needed -->
            </otherwise>
        </choose>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

The above policy is not validating properly. If i pass a invalid mac header it is authorizing

Kindly guide as where i am making a mistake.