After a few tests, I seem to have found the root cause. I need offline accessTokens and also work with them. When I switch everything back to online accessTokens, verifyRequest() works as expected and also the REST API call goes through.
{ accessMode: offline} is apparently not used by verifyRequest (by design!). This in turn causes the session to not load properly and then the call does not go through.
So I will switch back to online session for all browser to server communications and get the offline access token differently. Found an explanation here: https://github.com/Shopify/shopify-node-api/issues/140#issuecomment-801053492 It’s GraphQL related, but still fits.