This post is the only I have found when Googling about this. For future people who find this post:
It is a Fortiweb set up with a Bot Detection policy. There is a section about detecting if the traffic is really from a browser and an option is "Real Browser Enforcement" (The system sends a JavaScript to the client to verify whether it is a web browser.)
Asking your IT security team to allowlist your particular URL should fix it.