We are often experiencing issue of getting 403 error when requesting/renewing API access tokens. Sometimes, simple retry fixes the issue, other times – not.
@Silarn, I think you are talking about a different situation: completing an OAuth flow with return/callback URL.
In our case we’ve already done the OAuth flow and we want to make calls to the API, but first we need to get a new access token using the stored refresh token. It seems to be a different issue you talk about.
There was a thread for a similar issue recently (though it never ‘sometimes’ worked) where having a return URI with an IP address or port would simply fail like this. It seems it must be a regular domain on the standard https port, despite the fact that the initial auth step allows such URIs.