Heads up people!
After 6 hours of digging through the code base this line stood out:
$this->guard = request()->has('token') ? 'api' : 'customer';
It means even if you have the header set correctly, your mobile application will still not authenticate. So, to solve this, what you need to do is add:
On all objects that need to be authenticated. If stuck reach-out.