HTTP defines the status 401 Unauthorized for missing authentication, but this status only applies to HTTP authentication. What status should I return with a session cookie based system, when an unauthorized request happens?

Formally, 403 Forbidden is the right response. It's defined as

Authorization will not help and the request SHOULD NOT be repeated.

The confusing part may be "Authorization will not help", but they really mean "HTTP authentication" (WWW-Authenticate)

403 I believe is technically correct (and probably most effective if you are implementing a custom API / protocol).

401 is not appropriate as it refers to authorization with a WWW-Authenticate header, which a session cookie is not.

If this is a public facing website where you are trying to deny access based on a session cookie, 200 with an appropriate body to indicate that log in is needed or a 302 temporary redirect to a log in page is often best.

You can make use of a test condition and pass on the

Error code: 401.1-Logon failed. The logon attempt is unsuccessful, probably because of a user name or password that is not valid.

Which is specifically used for the incorrect password or mismatched user name and password. Hope this helps you.