Just to confirm where are your customers clicking exactly before they get the 'Forbidden' message?
Are they opening up the draft order invoice email > attempt to click on 'complete your purchase' > They get error 'Forbidden' error?
Are you using any third-party email notification, or order management apps? Such as orderly? Any additional context you can provide would be appreciated.