Shopify: Reverse Proxy misroute leading to steal X-Shopify-Access-Token header

Hello Shopify team! I found out that on /admin/api/graphql endpoint server fetches content of Host header value $HTTPHost + /admin/api/graphql. If my own host was sent to server, request comes from ██████████or ██████████ your google cloud cluster. Also I can grab all reverse proxy headers...