You should check your server logs to identify what rule is being triggered. It will almost certainly just be a false positive from an overzealous rule that is incompatible with XF.
It's worth having the domain owner check DNS records to ensure any entries for the old record are removed. This can't be checked externally since the records will be obscured by Cloudflare reverse proxying, but you can take a look at the access log for the old server to see if any traffic is...
I meant the same feed multiple times. In any case, it seems like that feed may have bad locale handling where it can serve the same items in different locales (and different GUIDs) even though you're explicitly specifying English (en), so it's still ultimately an issue with the source.
Almost certainly just the regular no permission or not found error. You can check web server access logs to see what URLs they're trying to access. The bot permissions are no different from guests, but bots may be trying to scrape URLs guests don't have access to or that otherwise don't exist.
You can hover over the triangle, but more than likely they're just trying to view a thread that guests don't have permission to view. There is nothing in the core which would cause them to be treated differently from any other bot.