That’s great!
It seems that Shopify graphQl doesn’t accept requests without userAgent in the CURL header, That’s why it returns 403 forbidden access. Moreover, there is no clear information regarding this point in the Shopify documentation.
Have a nice day!