I'm posting this for the benefit of the community just in case someone else runs into this issue.
I got this response from email@example.com and solved my problem. Impressive support response.
Thank you for contacting API Support regarding the 403 Forbidden error you are receiving, as I understand, this only occurs for non-GET requests, so if you were POSTing, PATCHing, or PUTing. Would you happen to be using a RESTful application like Postman or RESTlet to make these requests? If you are, I think you are actually getting a 403 CORS Forbidden error.
I was able to add the specified 'testrecord' with your request.
1) make sure you are using Test keys in the Test environment (api.ote-godaddy.com) and Prod keys in the Production environment (api.godaddy.com)
2) make sure you are not mix matching keys and secrets, I'd go ahead and delete all keys and generate new ones
3) if you are using Postman, be sure to use the Native App for Postman and not the Chromium browser based app (the Chrome app is the one that gets the 403 CORS error, the Native app works just fine: https://www.getpostman.com/apps)
4) if you are still having an issue
add this custom header to your request:
make your request, get the error
then, inspect the response headers
Look for this header `X-Request-Id`