AWS API Gateway responds with 403 when first going through Alert Logic WAF

Question

I've seen a lot of questions on this topic, but none had answers that worked for my particular situation.

Context

• I have a domain name foo.bar.com mapped in Route 53 to an Application Load Balancer in a VPC
• The ALB routes to the WAF in my Alert Logic instance, hosted in the same VPC
• I have a "website" in Alert Logic that points to xyz.execute-api.us-east-1.amazonaws.com via HTTPS over port 443
• I have an API defined in API Gateway with an Invoke URL the same as above xyz.execute-api.us-east-1.amazonaws.com
• My API has a route /hello with an Integration that points to an internal Application Load Balancer in the same VPC and subnets as everything mentioned above

Problem

• Doing a GET request to https://xyz.execute-api.us-east-1.amazonaws.com succeeds from Postman while connected to the VPN for the given VPC
• Doing a GET request to foo.bar.com failed from Postman - whether or not connected to the VPN - with a status code of 403, a body of { "message": "Forbidden" }, and a x-amzn-ErrorTypeofForbiddenException`

QUESTION: What am I missing?