diff --git a/agent/consul/health_endpoint.go b/agent/consul/health_endpoint.go
index 6913136d38..945b3b2eb8 100644
--- a/agent/consul/health_endpoint.go
+++ b/agent/consul/health_endpoint.go
@@ -214,6 +214,14 @@ func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *struc
 		f = h.serviceNodesDefault
 	}
 
+	authzContext := acl.AuthorizerContext{
+		Peer: args.PeerName,
+	}
+	authz, err := h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
+	if err != nil {
+		return err
+	}
+
 	if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
 		return err
 	}
@@ -239,14 +247,6 @@ func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *struc
 				return err
 			}
 
-			authzContext := acl.AuthorizerContext{
-				Peer: args.PeerName,
-			}
-			authz, err := h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
-			if err != nil {
-				return err
-			}
-
 			// If we're doing a connect or ingress query, we need read access to the service
 			// we're trying to find proxies for, so check that.
 			if args.Connect || args.Ingress {