OK bit more trial and error later I worked out a curl command that doesn't trip this.
Still not entirely sure what about the original request trigger it. Think it was something around the Sec-Fetch-* headers that copying a request from browser via copy cURL included