While frontend sends json data like:

{"jsonrpc": "2.0", "method": "zabbix.status", "params": {"nocache": true}, "auth": "b5a5f54c05a066a02cefc71cf0f3543f", "id": 2}

But it appeared to be true that cookie "zbx_sessionid=b5a5f54c05a066a02cefc71cf0f3543f" is actually required instead of the "auth" object to authenticate such request.
Confirmed for 2.0.6 and 2.4.7

Why do we additionally include "auth" object in json data when we send request to a web server hosting zabbix frontend?
It misleads users who, for example, wants to perform such calls from own developed applications!

I suggest to remove unused things from json data.

Note - the cookie is required only if Guest user is disabled, which is true in most production installations.
With Guest enable - the cookie is not required at all.

Working example when Guest disabled:

# curl -i -X POST -H 'Content-Type:application/json-rpc' -H 'Cookie: zbx_sessionid=b5a5f54c05a066a02cefc71cf0f3543f' -d '{"jsonrpc":"2.0","method":"zabbix.status","params": {"nocache": true},"id":1}' http://localhost/dev/2.4/jsrpc.php?output=json-rpc

result:

{"jsonrpc":"2.0","result":{"result":false,"message":"Zabbix server is not running: the information displayed may not be current."},"id":1}