The test failed. It is refused by authorization. However, if I start the server and run it from curl it will succeed in the authorization.
After investigating the cause, it turned out that org.springframework.test.web.reactive.server.AbstractMockServerSpec set webSessionManager to DefaultWebSessionManager. The default is used, not the webSessionManager I customized. For this reason, it could not get the session ID.
Indeed this looks like a bug, related to #20233 where the goal was to ensure the session manager instance is re-used across requests. However if one is configured as a bean, it should be used instead. Since I'm already in the middle of the solution, I'll just wrap this up.