That 403 screen looks like it’s coming from your host. I’ve seen some hosts that block ‘curl’ from accessing. Try this just to be sure:
curl -skvo /dev/null https://sub.example.com --connect-to ::123.123.123.123
But change the IP address to the actual one for your server.