OK!
I figured this out!
In production mode, with supervisorctl controlling restarting ERPNext, it is vital always to refer to the site by its exact name. There is no site localhost nor 127.0.0.1 so it won’t work.
To avoid connecting outside the machine you merely need to register the host name in /etc/hosts:
erpdev@erpserver:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 erpserver
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 erp.yourpublic.work
127.0.0.1 dev.yourpublic.work
erpdev@erpserver:~$
Then make your call specifying the correct site name:
erpdev@erpserver:~$ curl -s 'http://erp.yourpublic.work:8000/api/resource/User/Administrator' --header 'Authorization: token 0784b9727f13bb1:a1c7ae585888075' | jq -r .data.email;
admin@example.com
erpdev@erpserver:~$
I am not sure if this is also required in development mode when frappe-bench/sites/currentsite.txt correctly specifies the site.