This is unfortunately a problem with Asp.net as a whole (although it comes from a problem in the HTTP specification), it does not distinguish between unauthorized users and unauthenticated users, although they seem to go out of their way to talk about the difference. To change this behavior, you will need to write a lot of code, and the easiest way to write your own handler is to check if you have already passed the authentication.
The HTTP standard is never intended to be in an “authenticated state”. In fact, he does not even know about the concept of "user". Each page request is designed to transfer information independent of other page requests. The fact that browsers cache this information (or authentication is done by cookies) is not related to what was provided by the standard.
The standard basically says that the server should release 401 if the requested resource is not authorized, and since each request has its own authorization, a simple pass / fail scenario is outlined. There is no concept of an authorized state on the site. The request either succeeds or does not work.
I think frameworks like ASP.NET have come a long way toward creating their own authorization and authentication state, but they really should just go all the way here.
You can find this thread highlighting the disagreement between the web community regarding accurate interpretations.
403 Forbidden vs 401 Unauthorized HTTP responses