When there are “private" settings in the API connector for a template app, our underlying logic will interpret those "private" (ie. "server-side only, should never be sent to the client") settings as "private settings that are confidential which should only belong on the original app, and which should not get copied to apps created from the template".
This functions appropriately for templates with “private" API keys that are meant to be entered manually by the template’s consumers, but impacts simple configuration headers that can/are meant to be copied over to apps created from the template while simply staying “private” from the client/server perspective.
We are aware of this limitation and in the future may have more granular controls for template builders to specify the parts of their template that should and shouldn’t be copied into apps created using the template.