@anon29869905 might correct me here, but displaying the login mask is in my opinion a desired “fallback”, as your authentication might fail for whatever reason (no matter if you just don’t have access because you got no account or your login data is invalid).
If we’d jump on a 403 page without showing the login page, the user would e.g. have to click a link or take other actions in order to get back to the login mask to try to log in again.
Just my thoughts. Personally I don’t see an issue returning error 403 which allows you to more granulary check your logs and stuff, but the login mask should always get displayed if your not logged in (and not trying to register or reset your password).
But that’s just my opinion.