OK. It appears it was a cookie path problem.
I eventually solved it by adding @define( 'ADMIN_COOKIE_PATH', "https://wordpress.stackexchange.com/" );
to the start of wp-config.php
– as suggested by AppFlak.
The vital clue came from monitoring the output of wp_parse_auth_cookie()
under various states.
Thanks for the ideas, guys! Makes it a lot easier with extra brains on the case 🙂