It’s fixed now:
Was quite involved. The fix wasn’t as simple as to try HTTP GET, but it also involved supporting cookies on redirects which our more secure redirector did not do. Both are supported now.
https://github.com/discourse/discourse/commit/53b95f009fc457f033427147ce34b4aa2e472f74
https://github.com/discourse/discourse/commit/369bb78f8e49c4cc4c3b585b40e4dc143a8b2669
https://github.com/discourse/onebox/commit/ea4a45bbf452bc3c40d470889daf21faa7fa6ba0