Update: The Keycloak config was mostly fine, our authproxies still had bad state in them. In the end, we configured Keycloak as followed, and then restarted all the authproxies, and everything was fine:
KC_PROXY_HEADERS: xforwarded
-
KC_HTTP_ENABLED: true
-
KC_HOSTNAME: subdomain.domain.com
-
KC_HOSTNAME_STRICT: true
-
KC_HTTP_RELATIVE_PATH: /org-auth/auth
-
KC_FEATURES: hostname:v2