I worked an issue where on querying from SPO some of the users see 401.
The part that could be broken here is User Rehydration.
In this case the user had synched the AD groups via DirSync to SPO but had not synched the groups into User Profile from AD in Onprem SP.
Once we checked the Groups OU in UPA In Sp Onprem and synched them, we did that we did not see any 401 anymore.
To give a general idea on what happens when a user fires a Query from SPO:
The Query Processing component from SPO contacts the Index component and pulls the result
SPO contacts Secure store (cert authentication happens with reverse proxy)
Then QPC of SPO successfully contacts with QPC of Onprem
The QPC of Onprem calls into the UPA and User Rehydration happens.
To rehydrate a user’s identity, a server that runs SharePoint 2013 takes the claims from the incoming access token and resolves it to a specific SharePoint user. By default, SharePoint 2013 uses the built-in User Profile service application as the identity resolver.
ACL match is now done and result sent from the Index component of onprem to QPC of Onprem and back to SPO
Result merged in QPC of SPO and results displayed to the user.