Thanks everybody for the replies.
It remains unclear to me though why if I mimic the request that the onebox engine does (or at least I expect this to be the case. Is it @Falco?) then I get a JSON response with a proper answer, and not a 429.
Is there another request done by Onebox that gets a 429, before performing the request as per my screenshot, that is curl 'https://www.youtube.com/oembed?format=json&url=https://www.youtube.com/watch?v=Xl-PTTeRsik' ?
It goes without saying that this requests were made from the very server running Discourse (so same outgoing IP).