When Portal tried to retrieve the results from the Google bucket, it got a redirect from Google and then an auth challenge that it couldn't reply to. This turned out to be because it was sending the Gafaelfawr bearer auth token to Google, which in turn was due to a change in 2.2.0 to add .lsst.codes to the auth domain. That in turn was because we have SUIT deployments on .lsst.codes environments where auth will be required.
However, the async results bucket is named async-results.lsst.codes, so that meant SUIT started sending auth to that request, which Google didn't like. Confirmed this was the problem by overriding sso.req.auth.hosts on data-int.
We don't use SUIT with TAP on .lsst.codes environments other than minikube and red-five (the rest are all T&S deployments), so I think the fix is to undo part of my change and remove .lsst.codes from the auth domain list again.