How come PHP cURL can perform a request, but jQuery AJAX doesn't?

jQuery / JavaScript is doing in the client side, where browsers apply the restriction of Cross-Origin Request Sharing.

The server doesn't have any restrictions, as far as PHP can use a lot of things like URL with fopen(), etc.

The main reason for this restriction is, JavaScript can be executed by anyone in the client side, while the server side code can be executed only by the people who have the access to server side scripts. When a novice user is given a URL to be executed, (AJAX Request), it gets executed on the client where the URL is fired.

This opens up the issues like access to the cookies on the domain, session details, etc. So, for example, when you have an API that can send email using GMail, and you go into a malicious website, there could be a JavaScript, that could fire an AJAX request to say:

POST https://mail.google.com/api/mail/send

With some details, and this gets executed without your knowledge, but with your logged in credentials. This cannot be done using the server side script, because there's nothing like an open session or the flow is controlled.

I would have expected this to have the same response, but somehow it bypasses the .htaccess file, of some sort.

Your .htaccess is weak enough to requests to sneak in. So you need to correct your .htaccess file. You may post the source of your .htaccess file so we can advice you on that as well.

I hope this answered your question.

For your case: If you can use CURL , use CURL but if you really want use ajax, you need to add CORS access on client side AND server side (this is the case that you build your own API) if you use extern API well know, they should have add a topic about CORS issue which explain which headers you have to add to your request to make it work. I hope you understand what i'm saying