In my case token authentication was working fine on development server and not on Apache. The reason was exactly the missing WSGIPassAuthorization On
http://www.django-rest-framework.org/api-guide/authentication/#apache-mod_wsgi-specific-configuration