What should be the HTTP status code if the incorrect credentials have been provided in the session creation request body (POST on session collection)? Should it be 200 or 400 (with appropriate extended error response)?
Isn't 401 misleading in this scenario? The 401 response means that request lacks valid authentication credentials for the requested resource, which is not true, because POST on session collection does not require authentication. If service returns 401 it should also send WWW-Authenticate header to inform how to authorize to access the resource. Then, if customer resend the request with valid Basic authentication header (but still the same incorrect username and password in the body) the result will be still 401. Web Browsers will automatically show a popup for username nad password to send e.g Basic authorization header in this case.
While it's true that you do not need authentication headers in the request to POST to the session collection, you do need valid credentials, which are in the body of the request. 401 still applies here since the service is verifying the supplied credentials to either provide access to the client or to reject the request.
We'll certainly need to discuss more about the WWW-Authenticate in the response, because you're correct, that can cause pop-ups in browsers. Is it realistic for a web browser to attempt to create a Redfish session in the first place though? Maybe a browser with a Redfish plug in, but at that point I would expect that sort of software to handle the 401 response from the session creation request.