I am just summarizing our discussion here for the community benefit.
Based on your observation above you are hitting the limitation mentioned here
If a response has more than one header with the same name, then rewriting the value of one of those headers will result in dropping the other headers in the response. This can usually happen with Set-Cookie header since you can have more than one Set-Cookie header in a response. One such scenario is when you're using an app service with an application gateway and have configured cookie-based session affinity on the application gateway. In this case the response will contain two Set-Cookie headers: one used by the app service, for example:
Set-Cookie: ARRAffinity=ba127f1caf6ac822b2347cc18bba0364d699ca1ad44d20e0ec01ea80cda2a735;Path=/;HttpOnly;Domain=sitename.azurewebsites.net
and another for application gateway affinity, for example,Set-Cookie: ApplicationGatewayAffinity=c1a2bd51lfd396387f96bl9cc3d2c516; Path=/
. Rewriting one of the Set-Cookie headers in this scenario can result in removing the other Set-Cookie header from the response.
IF condition applies to only the first Set-Cookie header coming in the response but the rewrite action will replace all of them with one Set-Cookie Header.
It will help if you would upvote this features request related to this limitation here
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.