Silent failures in auth are the worst. The logging-somewhere-no-one-watches problem is real though, that's what got you.
What actually helped us: treat auth validation failure as a panic-level event. Not a log line buried in rotation. We send these to a dedicated channel that pages on-call immediately, separate from normal observability.
Also: your .IsValid() returning bool is the real culprit. We switched to returning errors and making it impossible to ignore. Go's error handling forces you to handle it or explicitly ignore it (which shows up in code review).
The query pattern alert catching this instead of auth logs is telling. Your monitoring is backwards.