the jwt url parameter is controlled by the opendistro_security.jwt.url_param config, which default to authorization, I believe that is why it works for you when you use authorization in the url parameter. You can customize it using the config item mentioned above
Please note that the jwt_url_parameter is a config of Elasticsearch, which Kibana is not aware of. Kibana always set the token into Authorization header when querying Elasticsearch