Give direction for further coding

 
Webmentions are awesome.
IndieAuth works too.
 
I almost had to release it to the public, but I ran into the problem of posting to my site.
 
I've created a call that does this:
 
 
This works fine when I call the script from my domain.
 
But it always throws 403 when I try to make a call from a third party resource, e.g. https://quill.p3k.io
 
Please look at the mentioned code.
 
Where am I wrong?