Since this happens specifically when the project is embedded in an iframe, I would separate two possible causes:
The iframe is being blocked by headers/browser policy.
Vercel is returning a real 403: Forbidden before the page loads.
The quickest way to narrow it down is to open DevTools on the parent page and check the failing iframe request in the Network tab.
Useful things to check:
Does the iframe request itself return 403, or is the browser blocking it because of X-Frame-Options / Content-Security-Policy?
Does the same deployment URL work when opened directly in a normal tab?
Are all affected projects under the same Vercel account/team?
Are Deployment Protection, Vercel Authentication, or Firewall rules enabled on any of the embedded projects?
Does the 403 include a Vercel request ID every time?
If the direct URL works but iframe access randomly gets 403, I would include the parent domain, embedded domain, failing request ID, and browser/network details so Vercel staff can check whether the request is being blocked by protection/firewall logic or by app headers.
If the issue is fully fixed now, could you mark the topic as solved or close it? That should make it easier for others who run into the same 403 iframe issue to see that it was resolved by the recent 403 fix.