Kubernetes 401 Unauthorized, token not copied to containers
The service account token secret should be added as a volume when the pods are created. This is done by the ServiceAccount admission plugin.
Some questions:
If you inspect one of the running pods in the API, does it include a volume and volume mount referencing a service account token?
What admission plugins do you have configured for your API server?
The token is itself created during admission control processing.
The setting recommended for >1.4 is
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
Mind the "ServiceAccount" part!