HTTP status codes are not legally binding. EULAs are.
Saying "if the status code isn't 401 then I'm authorized" is like saying "if the door opens, I'm allowed to enter". "Able to" and "allowed to" are not the same thing, especially when you were only "able" because you ignored DO NOT ENTER signs and picked locks.
The fact that you managed to defeat or bypass security measures intended to block you doesn't magically make your behavior legal.
oh, did I not mention that I'm sending an X-send-401-if-use-is-unauthorised-and-also-please-note-that-by-responding-to-this-http-request-you-agree-to-my-eula header in my request?
Yeah, sorry, looks like I did forget to mention that.
I'm sending that header, too. So as you can see, by responding to a request containing that header they're accepting my terms, which are legally binding just like their eula (and in fact specifically take precedence over their eula), and which compels them to detect any use not authorised under their eula and notify me with a 401, and that by failing to do so they're explicitly authorising the use.
So, yeah, it's pretty clear that if they're not responding with a 401, my use is authorised. Thanks for playing!
Cool, so that means you won't go after me after I figure out all your bank passwords and steal all your money? After all, the website sent back a 200 status code, which means I must have been authorized.
HTTP status codes are not legally binding. EULAs are.
Saying "if the status code isn't 401 then I'm authorized" is like saying "if the door opens, I'm allowed to enter". "Able to" and "allowed to" are not the same thing, especially when you were only "able" because you ignored DO NOT ENTER signs and picked locks.
The fact that you managed to defeat or bypass security measures intended to block you doesn't magically make your behavior legal.