Microsoft has recently made a change to SharePoint Framework that might break existing solutions that use an Azure backend (e.g. a Function App) that is secured to only allow requests from SPFx apps. For us, our Azure Functions suddenly started returning 403 Forbidden.
Previously you would secure your Azure apps to only allow requests from SharePoint Online Client Extensibility Web Application Principal. With the change, you need to change it to allow SharePoint Online Web Client Extensibility instead. Unlike the old app, the new app is global and has the Client ID 08e18876-6177-487e-b8b5-cf950c1e598c. Allowing this ID fixed our problems!
