API Gateway resource policy is not working in conjunction with lambda authorizer

Question

I have an api gateway with resource policy like so:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "aws-account-id"
        ]
      },
      "Action": "execute-api:Invoke",
      "Resource": "execute-api:/*/*/*"
    }
  ]
}

Lets say I have an endpoint called /auth and another one called /noauth

/auth endpoint has a lambda authorizer (it validates the authorization header token value)

/noauth endpoint has no lambda authorizer in front and thus no Authorization header token required

According to https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-authorization-flow.html, resource policy is applied first and if that is ALLOW, only then lambda authorizer should get invoked and then in turn the API

The behavior I am observing is not following that pattern. When I am making a call to /auth from a different computer and not on the same AWS account, as long as the Authorization header is valid, I get a successful response when in reality, the resource policy should have kicked in and block me from even hitting my /auth API. On the other hand, /noauth (the one with no Authorization header) API does return me a DENY as expected.