Since it apparently wasn't obvious enough: Being in headless mode triggers their bot-detection and therefore blocks the client

How exactly this is done and how it could be bypassed would require insight into their website code, which they are unlikely to share. As usual there is an arms race between people who want to automate and people who don't want bots on their site, but in terms of puppeteer's headless:false, this battle is lost, since it's too easy to detect.