Thank you anonymous monk! Upgrading to 1.54 (along with adding the Accept header) gets me at least one step farther on this chain.

For the record: I determined what ModSecurity would and would not reject by looking at the request Firefox sends (with the Live HTTP headers plugin) and pasting in combinations of lines to an openssl s_client session and figuring out which lines/features were necessary to get a 302 redirect instead of a 400 bad request.