Maybe the company doesn't want to spend the effort to develop an API. They can through some Cloudflare solution in front and call it done.

Also I wonder if credit card chargebacks are a concern. They might worry that allowing a single user to make a million orders would be a problem, so they might want to rate limit users.