I see your reasoning. That’s when it becomes interesting to know what it is actually looking at when it determines access and whether or not it should spit out this error message.
On a related note, the thing is that it (Discourse, when replying to the embedded request) gives a 400 HTTP response code, which just means “Bad Request”. If it was anything to do with a non-allowed host or similar, I would expect the code to be 401 (“Unauthorized”) or similar, but that isn’t the case. So this suggests that it does not have to do with authorization or allowed hosts. But it could equally be that the backend code just isn’t spotting out a proper HTTP response code.