Well, in case someone has the same idea, I just checked and the string kbinBot does not appear anywhere in the lemmy git repo.
Web developer here. This type of blocking based on user-agent would be easier done though the server configuration than in the Lemmy code anyway.
Most likely this is some sort of bug or compatibility problem.
Returning "403 Forbidden" makes it seem like it's not a bug or compatibility problem. The lemmy.ml server only appears to return 403 when the user-agent contains the exact string "kbinbot" (not case sensitive). That makes it seem deliberate.
I'm not saying it's done with malicious intent, mind you. It could definitely be some kind of WAF or other automated blocking happening, maybe simply a misclick when blocking a flood of other bots, but that's anyone's guess until the admins respond.
Stop, HAMR time!