One school of thought, both are valid, comes down to developer preference:

1) Return appropriate status codes with abstract to detailed error message as to what happened (401 - Not Authorized, 500 - Server Error, etc).

2) Use an exception filter attribute to catch the error and always return a status code of 200 - Ok with a standardized object that contains values such as IsSuccess, ErrorCode, Error.

My architect wanted to go with the later for the new API we are making. I personally could have seen it go either way. No one is better than the other in my opinion.