Hi Michael,
"Is it correct to assume that the XS Admin tool overrides .xsaccess?" - If there are for one and the same package, the configurations specified via the XS Admin tool take precedence over the .xsaccess file.
"Do I need to allow "Exposed Headers"?" - If you use headers that are not simple, you must
explicitly add them to the allowed headers list.
"I can open the "Add Exposed Header" dialog but pressing the "Add" button results in JavaScript errors. See below for screenshots. Is this a bug? If so, Is there a workaround?" - It could be a bug in the XS Admin tool in rev92, but I'm not completely sure. A possible workaround is to add the exposed headers to the .xsaccess file for this package (or to a parent package).
Also it would be helpful if you provide the request headers for the request that fails.
Best regards,
Stefan