The fix came from the server end; the Web hosting company had to change the security settings.
I tracked it down when I started seeing a very similar problem on another site I run. The same mysterious 403 Forbidden error was popping up, and the "a-ha" moment came when I noticed that both sites that were experiencing the error had a URL being passed as a parameter to a PHP script. So I went into the Web host's troubleshooting section, and discovered that they block any script that uses a URL as a parameter.
Duuuh... Way to much later I realized that the fix
must have come from the hosting company.
Great detective work on your part. (Lucky you had that other site as a reference point.)
