You can sort of convolute a reason why 401 Unauthorized is valid, based on the fact that most systems which control access to resources have a (often implicit) policy that users for whom the identity is not known are not allowed to access anything.
Therefore the request is unauthorized because the server wasn't able to authenticate the user. But that's still not consistent with 403 though, so it's not very satisfying.
But this also speaks to one of the nubs of the terminology issue. "Actors" are authenticated, "Actions" are authorized.
Yeah, I think if they were renaming these response codes today, they’d name them something more like “401 Not Authenticated” and “403 Not Authorized”, but it’s too late for that. And I personally think you can say that either an actor or an action is “not authenticated.”
Therefore the request is unauthorized because the server wasn't able to authenticate the user. But that's still not consistent with 403 though, so it's not very satisfying.
But this also speaks to one of the nubs of the terminology issue. "Actors" are authenticated, "Actions" are authorized.