@hornygoatweed: We plan on expanding the message size limitations to allow for arbitrarily large messages. That work is being tracked in Github here: https://github.com/Azure/azure-functions-durable-extension/issues/26. Until then, you can write your activity functions to store their results into something like blob storage, and then return a reference to the blob (e.g. the URL) from your activity functions.
@AussieInSeattle: Checking for the existence of the HTTP header was just a convenient way to determine whether authentication was enabled for the page. It is not used to grant access to the app. Only valid security tokens issued by AAD can grant someone access to the app, and it's that security token which is used to populate the header.