nginx reverse proxy for radicale : 403 forbidden

Before getting started I configured Radicale to run on its own without any security and could access the WebUI on the specified IP:port so things were working. I then wanted to use a reverse proxy and SSL certificates to make things more secure so turned to their clear and simple documentation.

I've added the following to my server{...} definition under /etc/nginx/nginx.conf...

       #####################################################################
       ## Radicle (https://radicale.org/proxy/)                           ##
       #####################################################################
       location /radicale/ {                                                
           proxy_pass           http://localhost:9468/;
           proxy_set_header     X-Script-Name /radicale;                    
           proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for; 
           proxy_set_header     X-Remote-User $remote_user;                 
           auth_basic           "Radicale - Password Required";             
           auth_basic_user_file /etc/radicle/htpasswd;                      
           proxy_ssl_certificate         /etc/radicale/client_cert.pem;     
           proxy_ssl_certificate_key     /etc/radicale/client_key.pem;      
           proxy_ssl_trusted_certificate /etc/radicale/server_cert.pem;     
       }                                                                    

...and have generated all the certificates. If I go to https://example.org/radicale/ I'm asked to log in and can do so with my user credentials. Unfortunately I then get 403: Forbidden :-/

My /etc/radicale/conf is as follows

[server]
[server]
hosts = 127.0.0.1:9468
ssl = True
certificate = /etc/radicale/server_cert.pem
key = /etc/radicale/server_key.pem
certificate_authority = /etc/radicale/client_cert.pem
[encoding]
[auth]
type = http_x_remote_user
htpasswd_filename = /etc/radicale/users
htpasswd_encryption = bcrypt
[rights]
[storage]
[web]
[logging]
[headers]

(if an option isn't listed its the default).

First thought was its a permissions issue on the filesystem_folder = /var/lib/radicale/collections so I modified these to be radicale:http (as nginx runs as http on this Arch Linux system)...

# l /var/lib/radicale/
total 12K
drwxrwxr-x  3 radicale http 4.0K Aug  7 07:35 .
drwxr-xr-x 25 root     root 4.0K Aug 12 08:07 ..
drwxrwxr-x  3 radicale http 4.0K Aug  7 08:18 collections
# l /var/lib/radicale/collections/
total 12K
drwxrwxr-x 3 radicale http 4.0K Aug  7 08:18 .
drwxrwxr-x 3 radicale http 4.0K Aug  7 07:35 ..
drwxrwxr-x 3 radicale http 4.0K Aug  7 08:18 collection-root
-rwxrwxr-x 1 radicale http    0 Aug  7 08:18 .Radicale.lock
# l /var/lib/radicale/collections/collection-root/
total 12K
drwxrwxr-x 3 radicale http 4.0K Aug  7 08:18 .
drwxrwxr-x 3 radicale http 4.0K Aug  7 08:18 ..
drwxrwxr-x 4 radicale http 4.0K Aug  7 08:20 user
# l /var/lib/radicale/collections/collection-root/user/
total 16K
drwxrwxr-x 4 radicale http 4.0K Aug  7 08:20 .
drwxrwxr-x 3 radicale http 4.0K Aug  7 08:18 ..
drwxrwxr-x 2 radicale http 4.0K Aug  7 08:19 86487dd0-1ca2-8183-b1b8-0bc7933792d2
drwxrwxr-x 2 radicale http 4.0K Aug  7 13:46 bd050325-a411-5d0a-625b-d8569b442441
# l /var/lib/radicale/collections/collection-root/user/*
/var/lib/radicale/collections/collection-root/user/86487dd0-1ca2-8183-b1b8-0bc7933792d2:
total 12K
drwxrwxr-x 2 radicale http 4.0K Aug  7 08:19 .
drwxrwxr-x 4 radicale http 4.0K Aug  7 08:20 ..
-rwxrwxr-x 1 radicale http  165 Aug  7 08:19 .Radicale.props

/var/lib/radicale/collections/collection-root/user/bd050325-a411-5d0a-625b-d8569b442441:
total 12K
drwxrwxr-x 2 radicale http 4.0K Aug  7 13:46 .
drwxrwxr-x 4 radicale http 4.0K Aug  7 08:20 ..
-rwxrwxr-x 1 radicale http  216 Aug  7 13:46 .Radicale.props

But no joy, still get 403 : Forbidden, so now I'm stumped as to what to try.

Any suggestions would be gratefully received.