You could configure 2 additional Policies:
Policy 1: OnAuthReject rule tied to an 'OnRejectRedirect' Response. Configure for ALL USERS
Policy 2: OnAuthAttempt rule tied to an OnRejectRedirect' Response. Configure for ALL USERS
The 'OnRejectRedirect' Response would be the same for both Policies. It should redirect to a page that reads "User Name or Password Incorrect".
OnAuthReject = Occurs if the authentication failed for a user bound to a policy (bad password).
OnAuthAttempt = Occurs if the user is rejected because the user cant be found (bad user name).
If either of these Rules are triggered the redirect will send the user to the page indicating the Authentication failed due to Invalid UserName or Password. This should allow you to achieve your goal. I would actually expect the default before to keep prompting the user to authenticate if Auth failed due to either invalid user name or password by default. I wouldn't expect to get an HTTPO 401 error at at all.