So I checked the web and found out that yes, there is a problem, and no, there is no simple fix.
The problem is that Windows XP will add the host information to the server no matter what. Thus, the username is sent as host/username.
There are some hints that this could be fixed with the Apache mod_encoding module, but life is just too short!
Fortunately, I found a solution that seems to work! Basic authentication is pathetic – in fact, the username and password are encoded unencrypted in the URL in the form http://username:password@site/path. So I simply included the username and password this way and hey, it worked. A side effect is that this makes it super obvious how insecure basic authentication is (and that using https doesn’t make it any more secure).