I think the critical difference is that their backend API is not meant for public use. The situation is akin to forging an internal email to your customer service rep, tricking them into changing your bill.
It responds to calls from their frontend code, by necessity. It is not meant for public use. Just because you are technically capable to interact with it yourself does not mean you legally can.
Just because you can physically enter a strangers house does not shield you from trespassing charges.
Society / the legal system is not code. There is all sorts of nuance and morals and subjectivity involved beyond the "bits on the wire", so to speak. You can go to prison for accessing a website you know you shouldn't, even if the HTTP response code is 200.
