The deny/allow is the first thing I do as you can see in the OP.
Uh-oh. Big problem here.
Within any one module, commands execute in the order you put them. But each module as a whole executes in the order set by the server. It has nothing to do with the arrangement of directives within the htaccess or config file. The different modules pass through htaccess one at a time. When it's mod_rewrite's turn, it sees only mod_rewrite directives. When it's mod_alias's turn, it sees only mod_alias directives. When it's mod_setenvif's turn... and so on.
Deny/allow is mod_auth-whatsit. (Exact names will depend on Apache version. Go far back enough and it's mod_access instead.) It typically executes immediately before the core, and definitely after mod_rewrite has done its thing.