-- The problem with using product-order instead of product_order as reference for the purpose of hiding is that it doesn't hide anything. This is being offered the article as a means of security. It's not. You can as well stick with original underscore name.
If you really want to decouple the url-resource-name from the database name use a salted hash.
-- Header authentication: It is preferred against url authentication as a security measure. It's not a security measure. Header data is as easily readable as url data.
It's not bad practice. It's just not a means of security as claimed in the article: "Don’t Pass Authentication Tokens in URL This is a very bad practice in terms of security."
-- As I wrote in the article: There's nothing wrong with a consistent URL structure, but it's got nothing to do with REST. The article claims "Practical advice for designing REST APIs". A consistent URL structure has got nothing to with REST.
If the article would have claimed "Practical advice for a resource-based consistent URL structure" it would have been closer to the content provided.
Let me put it this way: If an article about roof racks claims "Practical advice about designing cars" it's as far off topic as this one.
Of course there are roof racks on cars. But they are by no means necessary for designing and operating a car.