I would wager you are running into the CSRF defense mechanism in that version of the Web API. You could confirm by looking at your admin logs and checking for warnings that would suggest this. This documentation gives you some options to proceed from there.
yup. thanks for the fast response. we ended up adding this x-requested-with header and that solved it. confusing stuff. need to review our best practices on pi web api usage and on config changes after upgrading to 2017.
seams to be along the lines of this post: https://pisquare.osisoft.com/message/99831-re-pi-web-api-2017-http-post-request#comment-99831
thanks, and kind regards,