Sorry for the long delay, but I wanted to report that we were ultimately able to track this 403 down to our AWS WAF rules, specifically this one:
AWSWAFSecurityAutomationsSqlInjectionRule
To anyone else reading this, I can suggest a few things to help you prove to yourself that Cloudflare is not the source of the problem:
- verify that the “403 Forbidden” output in the response body is black and white (if it comes from Cloudflare, you will see fancy branding and formatting).
- Go into your Cloudfare settings, and in the right column under “Quick Actions”, enable “Development Mode” (which will remporarily bypass the cache)
- Farther down, click “Pause Cloudflare on Site”.
Give it a few minutes to take, and then after that the true source of the 403 error will be revealed in the response headers. For me, I started seeing this (instead of “server: Cloudflare”:
From there, the problem was cut in half, because we were able to remove Cloudflare completely as a culprit.
At any rate, big thanks to @cloonan and @WhiteDemonhia for helping to troubleshoot.