Am I correct in my thinking that this file is only ever fired if someone is actually logged into the control panel and not under any other circumstances such as someone just visiting the site?
No, Ajax API is used for arbitrary requests, including those for the front–end and non–authenticated users.
Am I correct in my thinking that the Heartbeat API is what is responsible for when one user is editing a post and another user tries to edit it and they get a message warning them someone else is already editing that post?
While Heartbeat API was implemented for such functions, it’s more of a generic channel arbitrary things can run on top of.
Is it even possible to turn off the Heartbeat API or is it a known issue that it actually can’t be turned off?
As far as I remember it is exceptionally hard to disable, more so in clean and compatible way. It also went through several approaches, so a lot of related snippets online are outdated and irrelevant. If there is a sane way to turn it off as of right now — I am not aware of it.
If it definitely can be turned off then what am I doing wrong?
Not sure if you do anything wrong. This might be better discussed with hosting support. Might be something is messing it up, might be your needs (such as many logged in users in admin) are larger than your plan. Anecdotally I am long time SiteGround user myself and never had Heartbeat API issues with them.