On-premises it is possible to assign a new Realm to any string using Set-SPAuthenticationRealm cmdlet.
GetRealmFromTargetUrl in TokenHelper.cs from Visual Studio templates does not take that into account. This method validates the determined realm against Guid.TryParse as you can see here:
if (bearerResponseHeader.Length >= realmIndex + 36)
{

string targetRealm = bearerResponseHeader.Substring(realmIndex, 36);


Guid realmGuid;

if (Guid.TryParse(targetRealm, out realmGuid))

{

    return targetRealm;

}

}

So, if you have changed the realm to a string which cannot be converted to guid, you will get a 401 Unauthorized if you e.g. try to access the host via CreateUserClientContextForSPHost().

That would be really helpful. With kind regards, Ronny