I'm using Microsoft.Azure.Mobile SDK for implementing Server code.

Code in OWIN startup is as below:

public void ConfigureAuth(IAppBuilder app)
{
    HttpConfiguration config = new HttpConfiguration();
    new MobileAppConfiguration().ApplyTo(config);
    app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions
    {
        SigningKey = ConfigurationManager.AppSettings["SigningKey"],
        ValidAudiences = new[] { ConfigurationManager.AppSettings["ValidAudience"] },
        ValidIssuers = new[] { ConfigurationManager.AppSettings["ValidIssuer"] },
        TokenHandler = config.GetAppServiceTokenHandler()
    });
    app.UseWebApi(config);
}

Token generation code:

Claim[] claims = new Claim[]
{
    new Claim("sub", "SampleSubject"),
    new Claim("Id", Convert.ToString(Users[0].user_id)),
    new Claim("name", Users[0].name),
    new Claim("surname", Users[0].surname),
    new Claim(ClaimTypes.Role, "user")
};
var token = AppServiceLoginHandler.CreateToken(claims, ConfigurationManager.AppSettings["SigningKey"], ConfigurationManager.AppSettings["ValidAudience"], ConfigurationManager.AppSettings["ValidIssuer"], TimeSpan.FromDays(30));
return token.RawData;

A sample JWT token is eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJHcnViZXJBUEkiLCJJZCI6IjMyODkwIiwibmFtZSI6IkRhdmlkZSIsInN1cm5hbWUiOiJCb25ldHRhIiwicm9sZSI6InVzZXIiLCJ2ZXIiOiIzIiwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MjM1MzEvIiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MjM1MzIvIiwiZXhwIjoxNTAyNDYyNDQzLCJuYmYiOjE0OTk4NzA0NDN9.b5VhWzvkaEumutPZpLzImcAy4NotXCSgUIqLltVUQWI

The token is valid per below screenshot

And for below code,

 [Authorize]
    public IEnumerable<string> Get()
    {
        return new string[] { "value1", "value2" };
    }

    // GET api/values/5 
    public string Get(int id)
    {

        try
        {
            ClaimsPrincipal claims;
            AppServiceTokenHandler s = new AppServiceTokenHandler(new HttpConfiguration());
            s.TryValidateLoginToken(Request.Headers.Authorization.Parameter, ConfigurationManager.AppSettings["SigningKey"], new[] { ConfigurationManager.AppSettings["ValidAudience"] }, new[] { ConfigurationManager.AppSettings["ValidIssuer"] }, out claims);

            AppServiceTokenHandler.ValidateToken(Request.Headers.Authorization.Parameter, ConfigurationManager.AppSettings["SigningKey"], ConfigurationManager.AppSettings["ValidAudience"], ConfigurationManager.AppSettings["ValidIssuer"]);
        }
        catch (Exception ex)
        {

            throw;
        }

        return "value";
    }

'/Get' request fails with HTTP 401. BUT For the same JWT token 'Get/5' returns HTTP 200 (validates token manually).

The problem is, when I use Authorize attribute, api returns 401.

According to your description, I checked this issue on my side.

Access the protected Web API

In summary, you could refer to the above screen shoot and check with your api endpoint. Additionally, you could refer to AppServiceTokenHandler.cs and HmacSigningCredentials.cs for implementing your custom TokenHandler to troubleshoot this issue. Moreover, you could refer to adrian hall's book about Custom Authentication .