This recently happened to me:

Well. What the..? Why would this be forbidden? It’s just a bundle? My project was very default, so it would not be authorization rules.

Turn out there is a simple keyword to remember:

Never use a path that physically exist in your project as virtual name for your bundle.

In my example I actually had a physical directory that matches “/Content/Css”, so Azure would pick that up instead, and naturally I didn’t allow directory browsing, which triggered the 403 call.

Fix this issue by renaming the bundle. “/Content/css” -> “/Content/CssBundle”