Fixed it in the end – was a crude mix of Cookie-Path related stuff 
This is the corresponding Bedrock config if someone else is wondering:
/**
* Multisite setup
* Do NOT use 'Config::define' for any other constants besides 'WP_ALLOW_MULTISITE' here...!
* @link https://discourse.roots.io/t/not-sure-how-to-get-multisite-functional-in-dev-environment/15701/2
*/
Config::define('WP_ALLOW_MULTISITE', true);
define('MULTISITE', true);
define('SUBDOMAIN_INSTALL', true);
define('DOMAIN_CURRENT_SITE', env('DOMAIN_CURRENT_SITE'));
define('PATH_CURRENT_SITE', env('PATH_CURRENT_SITE') ?: '/');
define('SITE_ID_CURRENT_SITE', env('SITE_ID_CURRENT_SITE') ?: 1);
define('BLOG_ID_CURRENT_SITE', env('BLOG_ID_CURRENT_SITE') ?: 1);
define('WP_DEFAULT_THEME', 'storefront');
/**
* Use DOMAIN_CURRENT_SITE as the cookie domain. This ensures cookies and
* nonces are using the correct domain for the corresponding site. Without
* this, logins, REST requests, Gutenberg AJAX requests, and other actions
* which require verification will not work.
*/
Config::define('ADMIN_COOKIE_PATH', '/');
Config::define('COOKIE_DOMAIN', env('DOMAIN_CURRENT_SITE'));
Config::define('COOKIEPATH', '/');
Config::define('SITECOOKIEPATH', '/');