You're using placeholders correctly, so what it's really saying is that there's no user in the database named or '1'='1 '. The query comes back with zero rows, and presumably something else in the code is seeing that and throwing the 403 (a perfectly reasonable response code for a bad username). Since you're using placeholders, it's likely that no SQL injection attacks are taking place--good job!
As far as I can see from here, it's behaving exactly as it should.
"There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.