As far as I understand, the private API (3rd party) needs a source of API request’s domain to be allowlisted within the 3rd party system to give an appropriate response.
The apps built on the Freshworks developer platform reside on https://d3h0owdjgzys62.cloudfront.net” . You see if the response gets in if that’s whitelisted.
Sometimes, 3rd party systems also want IPs to be whitelisted to give the response back to the app. In those cases, static IP feature of the Request Method comes into play.