Only restarting kibana seems to work. :-(
After restarting only kibana, and using same token, authentication works.
Suspect, but can't validate that kibana server is somehow maintaining state associated with token or it's cookie ?
kibana-service | {"type":"log","@timestamp":"2019-06-04T22:24:11Z","tags":["plugin","debug"],"pid":1,"message":"Checking Elasticsearch version"}
kibana-service | {"type":"log","@timestamp":"2019-06-04T22:24:13Z","tags":["debug","legacy-proxy"],"pid":1,"message":"Event is being forwarded: connection"}
kibana-service | {"type":"log","@timestamp":"2019-06-04T22:24:13Z","tags":["debug","legacy-service"],"pid":1,"message":"Request will be handled by proxy POST:/elasticsearch/_msearch?rest_total_hits_as_int=true&ignore_throttled=true."}
kibana-service | {"type":"response","@timestamp":"2019-06-04T22:24:13Z","tags":[],"pid":1,"method":"post","statusCode":302,"req":{"url":"/elasticsearch/_msearch?rest_total_hits_as_int=true&ignore_throttled=true","method":"post","headers":{"connection":"upgrade","host":"localhost","content-length":"1383","accept":"application/json, text/plain, */*","origin":"http://localhost","kbn-version":"6.7.1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36","dnt":"1","content-type":"application/x-ndjson","referer":"http://localhost/kibana/app/kibana","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","securitytenant":"__user__"},"remoteAddress":"172.19.0.11","userAgent":"172.19.0.11","referer":"http://localhost/kibana/app/kibana"},"res":{"statusCode":302,"responseTime":8,"contentLength":9},"message":"POST /elasticsearch/_msearch?rest_total_hits_as_int=true&ignore_throttled=true 302 8ms - 9.0B"}
kibana-service | {"type":"log","@timestamp":"2019-06-04T22:24:13Z","tags":["debug","legacy-proxy"],"pid":1,"message":"Event is being forwarded: connection"}
kibana-service | {"type":"log","@timestamp":"2019-06-04T22:24:13Z","tags":["debug","legacy-service"],"pid":1,"message":"Request will be handled by proxy GET:/customerror?type=sessionExpired."}
kibana-service | {"type":"response","@timestamp":"2019-06-04T22:24:13Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/customerror?type=sessionExpired","method":"get","headers":{"connection":"upgrade","host":"localhost","accept":"application/json, text/plain, */*","kbn-version":"6.7.1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36","dnt":"1","referer":"http://localhost/kibana/app/kibana","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"172.19.0.11","userAgent":"172.19.0.11","referer":"http://localhost/kibana/app/kibana"},"res":{"statusCode":200,"responseTime":8,"contentLength":9},"message":"GET /customerror?type=sessionExpired 200 8ms - 9.0B"}
kibana-service | {"type":"log","@timestamp":"2019-06-04T22:24:13Z","tags":["plugin","debug"],"pid":1,"message":"Checking Elasticsearch version"}