Even if I don't think that this is your problem, It is not recommended to use CalDavZAP with additional authentication (e.g. custom .htaccess).
If you want to use authentication use the login screen (and password manager which can pre-fill your password).
Ask Radicale developer for CORS support and all your problems will be solved without ProxyPass and/or similar hacks ...
Of course there is a password on the caldavzap URL. Otherwise anybody could access my calendar.
The browser requests the password and access is granted allright. This should not be the problem.
Or does caldavzap run into a problem even though the browser is authenticated?