RequireXsrfCheck not working for webwork1

I have a webwork1 panel I’m trying to secure with @RequireXsrfCheck. My code is:

public class ProjectAdminPanelAction extends JiraWebActionSupport {
    public String execute() throws Exception {

I try to test it with curl using

curl --location --request POST 'http://localhost:8080/myjira/secure/documentvault/DocumentVaultProjectPanelAction!execute.jspa?projectKey=TEST&atl_token=xx' --header 'Content-Type: application/x-www-form-urlencoded' --header 'Authorization: Basic Y2hhZDpwYXNzd29yZA==' --header 'Cookie: JSESSIONID=DC4F1B7BE2D598C76198317D5FDF06B9'

And it brings back the page. I have tried without the !execute, with both RequireXsrfCheck classes and I still get the same. Same thing happens if I remove the atl_token parameter as well.

I’m using Jira 8.6. What am I missing?