OK. It appears it was a cookie path problem.
I eventually solved it by adding @define( 'ADMIN_COOKIE_PATH', "https://wordpress.stackexchange.com/" ); to the start of wp-config.php – as suggested by AppFlak.
The vital clue came from monitoring the output of wp_parse_auth_cookie() under various states.
Thanks for the ideas, guys! Makes it a lot easier with extra brains on the case 🙂