I've seen different errors with REST API security tools. I'm trying to sort out some details, but Layer7Tech offers a REST API appliance for security/nat/etc. However, when using the vCloud GUI and routing an API upload through the L7T appliance, we get Access Forbidden. I think it has something to do with how the Sessions work and get transferred from being pass through (vCD see the original source IP in the HTTP header) to getting put through a NAT (has the L7T IP).
Not saying this is the same thing, given error states, but to give context that you might see oddities if you do put some specific tools in between vCD and it's clients.