You are probably still getting a malformed challenge. As far as a SIP client is concerned, 401, is a challenge for authentication, and the following text is only for human consumption. Such a challenge must have the details of the challenge, but the provider is violating that rule.
I note that you have tried to add P-Asserted-Identity to the incoming channel, but that is pointless, as it is only used for outgoing requests. Also PAI is something that Asterisk can add itself in normal cases, if you enable it, in which case it will be set to the value of the caller ID. A visual check of the logs would have confirmed that this was not being sent.
I’d suggest fixing the “hide” option, if only to elminiate a possible cause. I’ve mentioned this at least twice.
I would check with the provider whether they really want a domain name in the authorisation user field.