This sounds like a bug that nobody has run into before because the legacy UI and refapp do not do the entire OpenMRS workflow via REST.
I guess the problem is that ForcePasswordChangeFilter is very high priority so it captures all the requests?
Can we change the legacyui module here so that if the request is a REST one (based on accept-type or something) it returns a REST-friendly response instead of forwarding to that other form?
And then we’d need to allow a user to update their own password in the webservices.rest module.
There is a long related discussion here: Unable to update user password via REST