Because the whm, cpanel, webmail and webdisk proxy subdomains run through Apache before being routed to cPanel/WHM, etc, all traffic is processed through any configured ModSecurity rules. This causes problems for legitimate functions, especially in root WHM, which trigger such rules.
To avoid this and to maintain consistency for the various ways to access WHM, it would be a best to have the following within the VirtualHost in httpd.conf for the proxy subdomain container:
# CPANEL/WHM/WEBMAIL/WEBDISK PROXY SUBDOMAINS
<VirtualHost ... *>
A side-effect of this problem when a ModSecurity rule is triggered is that the browser is redirected to a 403/406 page which strips the URL of the security token. Because this is going through Apache and not the cPanel server it results in a spurious "security token missing" error.
I raised this with support in ticket ID 1774258.