Ideally it's a config error at the firewall. I saw an interesting idea posed on the lemmy post suggesting that it may have been targeted by a DDoS that used kbinbot in the user-agent string.
Ultimately, it's not happening at a code level, it's absolutely happening at a firewall level (nginx, which, for those who don't understand, is kind of acting like the door lock on your apartment building, where you need to go through the main security before you can get to your own place. Sort of the same idea here). I just spent a bunch of time testing a bunch of various user-agent strings, and it very specifically is matching "kbinbot". No wildcarding within the word, but it a string like "blahbinbotblah" will 403, whereas "blahkbbinbotblah" won't (and various other forms, like k.bin.bot, or kasdfbinasdfbot.)
It's pretty specific. Anyone who deals with firewalls in any capacity understands how nginx works, and specifically why they and others are raising an alarm.
So yeah, ideally it's a misconfiguration, otherwise it's a fairly clear message.