You should see that the 403/407 are always followed by the same request that includes a category and username. What you are seeing is the first request is unauthenticated, and the client is redirected for authentication before doing categorization. So the first request won't have a username or a category. After being authenticated, they are redirected back to the original URL and your normal policy would be applied, including categorization.
For this reason, Web Reporter and CSR both drop 403/407 requests during log parsing.
Thank you very much for your quick response. Your information was very helpful.