It seem I am very late for this question, but I post my experience to here anyway, and hope it can help anyone with similar experience, since it is so hard to google an answer for this kind of rare situation.
I have a very similar problem.
I tested thru Browser and AJAX, they are OK,
but I got connection timed out when I send the request with PHP cURL.
But my situation is a bit different.
I have 2 servers, server A is the host of the API, and server B is the requesting server.
Server B is my production server that, people have been using it without any problem, until one day, I got connection timed out error from Server A.
Then, I found out that, Server A firewall blacklisted Server B, because Server B tried to perform SQL injection. (That is why browser and AJAX didn’t blocked by Server A, because you are sending the request from your PC, not thru the server)
So, I solved my problem by whitelisting Server B in Server A.
But the story is not end yet.
The reason why server A blacklist server B was because one of my user enter a big chunk of paragraph via the API that contain the word “selected” (it is selected, not select alone) and “from“, for some reason the server A marked it as SQL injection.
It sound weird, but I guess the server’s ModSecurity is too sensitive.