It would seem that it is partially broken. I even have an open dev item with Epicor about how it isn’t working as intended, not that I expect them to patch something on 10.2.
Like, the whole thing with what I wrote is that it uses a non-SSO service account to authenticate the rest call.