We just had another developer ask about this and I've finally gotten to the bottom of it. There is something off with the naming of the token. As such, the solution to use header authentication is as follows:
curl -H "Authorization: OAuth $my_token" -v https://api.lockitron.com/v2/locks
By the way, we highly recommend moving away from the v1 API as we're looking to deprecate it soon.