Short story:

A few days ago I started developing an app that will track my sleep, calculate sleep dept, Sleep/Awake ratio, predict sleeping hours necessary to get a healthy and refreshing sleep, etc. 
I've set it up using the league/oauth-2 client for PHP and it was working fine and dandy until a few days back, when I started getting a "Forbidden" response when doing such a simple thing as trading an authentification code for an access token.

Scenario:

I get redirected to Fitbit, login with my account, allow the app to use my data and get redirected back with state and code in GET parameters in the url and "Forbidden" as the message of the response to my request.

Upon some digging in I found that the response holds this:

Which is really strange because how could I verify myself with captcha when the whole point of using an API is to do it in code?

Things where I might have broken something:

1. While messing with development I was constantly asking for new access and refresh tokens
2. I flushed the database holding all the keys for... reasons
3. I've been messing around with the callback URL's in app settings at FitBit

What I've tried so far:

1. Use another OAuth clients
2. Revoke access
3. Change private key
4. Create a new app in the FitBit dev panel
5. Use a VPN

Nothing works. Does anyone have any ideas where the problem is?