Looks like it is due to the fact that Droid sucks when it comes to 401 auth. It partially supports it, as I can use the password protected php book browser interface to my heart's content, but the book download itself breaks, as mentioned before. I went into the server's accesslog, and each failed epub download was given a 401 response to which the Android device never replied.
Not sure if there is something we can do to work around the fact that Android is broken in this regard, but I'll keep digging.
Edit: This is apparently a widespread problem that has existed in Android for a while... googling 'Android' and 'htaccess' will get you some of the better links out there, alternatively 'password protected' with 'Android', or 401 authentication, etc. None of the discussions presented any solution except avoiding passwords on the actual file download directories.
Found the bug reports:
http://code.google.com/p/android/issues/detail?id=1353
http://code.google.com/p/android/issues/detail?id=9866
Can't believe Google's been sitting on this since 2008!! I'll try the workaround in the first bug report.