Authentication problems with iControl rest and bash

I have a strange problem: I wrote a script which invokes a iControl rest API call (with cURL), which, if I execute the curl command at my bash prompt, it works fine. however, running it from within command substitution causes it to fail with 401 unauthorized.

Successful invocation at the shell:

[user@localhost:~/scripts]$ curl -sk -u 'admin:' -H 'Content-Type: application/json' -X POST -d '{"command":"run","utilCmdArgs":"config-sync to-group failover-group"}' https://f5ltm1.example.com/mgmt/tm/cm
{"kind":"tm:cm:runstate","command":"run","utilCmdArgs":"config-sync to-group failover-group"}

Here's my stub with test bash code:

 Stub to test config sync with iControl rest API

LB_PWD=''
PREFIX="curl -sk -u 'admin:$LB_PWD' -H 'Content-Type: application/json'"

function syncLBConfig {
    local LB=$1
    local GROUP=$2
    local JSON="{\"command\":\"run\",\"utilCmdArgs\":\"config-sync to-group $GROUP\"}"
    local URI="/mgmt/tm/cm"
    local CMD="$PREFIX -X POST -d '$JSON' https://${LB}${URI}"
    echo $CMD
    RESPONSE=$(${CMD})
    echo $RESPONSE
}

LB_NAME="f5ltm1.example.com"
HA_GROUP="failover-group"
syncLBConfig $LB_NAME $HA_GROUP

When invoked I get a 401 unauthorized response with a HTML document (festooned with configuration metadata and details about my software version, hotfixes, data-groups, etc.) If I copy and paste the text produced by the 'echo $CMD' line in my function, the API call works without issue. Any idea what escape sequence you need to embed to get curl to satisfy the iControl REST API, and acknowledge the credentials I'm passing it?