Bottom Line: I need to get a custom (NOT and ArcGIS) token from the WAB app to my proxy server along with each http call from the WAB app which accesses secure resources.
What I would really like to do is add a custom "Authorization" http header to every call that flows through esriRequest (which looks like the key function that does most of the getting of things.) But I don't really see how I can do that. I suppose that I can hijack something else to get my token to the server... but not really sure where to start. Or maybe there is a totally different way to tackle this problem. But I cannot have the user directly sign on to ArcGIS or use AD or use OAuth.
One option might be to somehow make a call to the proxy server at startup and add an http only cookie with the token. Not ideal but it might work.