We are using the graphQL API to send images through to Shopify. We have noticed that recently it seems shopify are sorting query string parameters in these (signed) URLs before attempting to download the images.
The re-ordering of the parameters or any change of the URL can render the original signature invalid; a generated signature only works on a specific URL. It may be if you try the URLs that they are both working, but _initially_ the reordered one would 403 because it's not yet in cache in imgix. Aftering trying the "original" one, in some cases, the image goes into cache at imgix and then both versions work. That's a red herring however. The essential point is that ideally shopify would not re-order parameter in this manner as it breaks auth in some cases.
I would be happy to take a closer look at this, and see if I can provide any additional insights or context. Would you be able to replicate this behaviour again potentially with a different URL of the same structure, and log the x-request-id header value returned in the API response headers we send.
If you can share this as well as any additional details about your initial request and response I can try to locate request logs on our end and pass on next steps or insights.