Currently it is not possible to add a custom header to a web request when authentication is applied. (https://community.powerbi.com/t5/Desktop/Connecting-to-an-API-with-basic-authentication-and-custom-header/m-p/795350#M382844)
According to the reported error, only the following headers are supported:
Accept, Accept-Charset, Accept-Encoding, Accept-Language, Cache-Control, Content-Type, If-Modified-Since, Prefer, Referer
This is a very strange constraint given that APIs can have all manner of odd requirements and are not equally bound by them. For example, the ConnectWise API requires authentication and a header called "clientid" to indicate the application requesting the data.
I understand why you would need to control the headers that can be applied to web requests when authentication is enabled so people don't add a duplicate Authorization header for example, but wouldn't it make more sense to move to a block-list of headers, rather than an allow-list that we have at the moment?