Turns out another iRule was running ahead of this one, sometimes resulting in a redirect which causes the (later, unintended) header insertion attempt to fail (see link above).
We added the line "event disable all" after the conditional redirect in the preceding rule, and modified the redirect itself to include a Connection: Close header (to prevent subsequent requests on same connection from bypassing the iRule logic):
when HTTP_REQUEST {
if { condition }{
HTTP::respond 302 Location https://host.company.com[HTTP::uri] Connection Close
event disable all
}
...
}