403 error received when logging in via curl PHP. Cookie issue?

Question

I've been really having a tough time with this. This (in theory) should be pretty straightforward.

My log-in attempt looks like this:

$curl = curl_init("https://login.example.com/login");
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_USERAGENT, $user_agent);
curl_setopt($curl, CURLOPT_VERBOSE, TRUE);  
curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie1.txt');
curl_setopt($curl, CURLOPT_COOKIEJAR, 'cookie2.txt');
$result = curl_exec ($curl);       
curl_close($curl);
echo 'result: '.$result;

output:
    Host: login.example.com
    Accept: */*
    Cookie: session=8892b5345209128c_57031fed.Q_lzpZ1aOLg3nAdgfWfP2BZWfOQ
    Content-Length: 136
    Content-Type: application/x-www-form-urlencoded

    * upload completely sent off: 136 out of 136 bytes
    < HTTP/1.1 302 FOUND
    < Server: nginx
    < Date: Tue, 05 Apr 2016 02:16:13 GMT
    < Content-Type: text/html; charset=utf-8
    < Content-Length: 279
    < Connection: keep-alive
    < Location: https://page.example.com/dashboard/
    * Added cookie logged_in="true" for domain example.com, path /, expire 1491358573
    < Set-Cookie: logged_in=true; Domain=example.com; Expires=Wed, 05-Apr-2017 02:16:13 GMT; Secure; HttpOnly; Path=/
    * Replaced cookie session="79859c1a698564c0_57031fed.a6asFkkozmLyRysHXCjotKCzwUg" for domain login.example.com, path /, expire 0
    < Set-Cookie: session=79859c1a698564c0_57031fed.a6asFkkozmLyRysHXCjotKCzwUg; Domain=login.example.com; Secure; HttpOnly; Path=/
    < X-example-App: login
    < Strict-Transport-Security: max-age=0
    < X-Content-Type-Options: nosniff
    < X-XSS-Protection: 1; mode=block
    < Cache-Control: max-age=0
    < X-Frame-Options: SAMEORIGIN

There is a 302 redirect here but rather than using followlocationI manually call the next url because the cookies appear to be reset when I examine in Chrome development tools.

    $curl = curl_init("https://page.example.com/dashboard/");
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($curl, CURLOPT_USERAGENT, $user_agent);
    curl_setopt($curl, CURLOPT_FOLLOWLOCATION, TRUE);
    curl_setopt($curl, CURLOPT_VERBOSE, TRUE);
    curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie2.txt');
    curl_setopt($curl, CURLOPT_COOKIEJAR, 'cookie3.txt');
    $result = curl_exec ($curl);       
    curl_close($curl);

The output of this is:

    Host: page.example.com
    Accept: */*
    Cookie: logged_in=true

    < HTTP/1.1 403 Forbidden
    < Server: nginx
    < Date: Tue, 05 Apr 2016 02:16:13 GMT
    < Content-Type: text/html
    < Content-Length: 564
    < Connection: keep-alive
    < Strict-Transport-Security: max-age=0
    < X-Content-Type-Options: nosniff
    < X-XSS-Protection: 1; mode=block
    <

Why is this page forbidden? When I look at the raw data from the live site this appears to be the exact behavior the site is sending to the server? Why does it work in the browser but not with curl? My research says this may have something to do with HTTPOnly cookies but I don't quite understand how.

I would very much appreciate if someone can take the time to review the above and provide me with any insight.

I also tried doing the same script via Selenium which also failed with the same error. That tells me there is some kind of cookie management that is just not working.

Thanks!