This recently happened to me:
Well. What the..? Why would this be forbidden? It’s just a bundle? My project was very default, so it would not be authorization rules.
Turn out there is a simple keyword to remember: ### Never use a path that physically exist in your project as virtual name for your bundle. In my example I actually had a physical directory that matches “/Content/Css”, so Azure would pick that up instead, and naturally I didn’t allow directory browsing, which triggered the 403 call.
Fix this issue by renaming the bundle. “/Content/css” -> “/Content/CssBundle”