And the award goes to @stefan1959 , who was right to be persistent about it being Wordfence. It was Wordfence.
I don’t know why it’s not blocking me today, but here’s Wordfence’s log from 3 days ago, when I captured the first error screenshot, saying it was “blocked by firewall for SQL Injection in POST body: sql_query=SELECT%20*%20FROM%20%60wpnf_options%60%20WHERE%201”
This also answers the question of where there would be a log entry explaining the 403 if Apache’s error log didn’t have it. Here it is. Mental note: Remember to check Wordfence AND Apache’s logs next time.
Both mysteries solved. Thanks for your help!