Using Ory Network for authZ with self-hosted Oathkeeper

[calebgrollins]

We're self-hosting Oathkeeper but using Ory Network for everything else. I am trying to configure an authorizer to point at Ory Network to figure out if a user has permission to access a specific service.

I have this config, but there's no permission to call /relation-tuples/check, the end-user sees {"error":{"code":500,"status":"Internal Server Error","message":"expected status code 200 but got 401"}}.

Should I somehow configure Oathkeeper to use an Ory Network API key when calling the endpoint? (I am assuming the request from the authorizer is coming from Oathkeeper and not from the end-user)

I see it's not yet possible to supply headers when using remote_json, so I'm not sure how to do this.

authorizers:
    remote_json:
      enabled: true
      config:
        remote: "https://<our Ory Network custom domain>/relation-tuples/check"
        payload: |
          {
            "subject_id": "{{ print .Subject }}",
            "namespace": "Application",
            "object": "helloworld",
            "relation": "use"
          }

I also see an example here of using Ory Network for authN but no such example for authZ. So is it even possible to use Ory Network for authZ?