So as far as I can understand, for private images while accessing anonymously, the redirect brings you to directly to Plone, that since it sees the image private, then it asks you for login.
For the use case when you are authenticated via Volto auth I think the problem should not be present if you use latest plone.restapi and latest Volto.
While developing, the problem is not there, since the development proxy is present, then it redirects to the backend properly. For me it has nothing to do with the __ac cookie.
The solution is not straightforward, and probably we should add more logic to the Volto SSR server to be able to handle this in seamless mode adequately.
I will create an issue noting this problem and try to tackle asap. Seamless mode is in "experimental" mode and further should be done in the subject, specially refine production deployments. The idea behind seamless mode was the "Zero configuration" for this mode, so the builds do not depend on any build-time config. Any feedback like this one from you is very much appreciated!
If you need to work this out in short, I recommend you to switch to a "traditional" Volto/Plone deployment where the API is under a directory (eg. /api).