The XML URL is calculated by taking the image's filename (minus the extension), calculating the MD5 hash of that + a static salt (which is visible in the source), then replacing the image extension with the first 10 chars of the hash + ".xml". Example . What type of third party would they be giving this API to?
They 403'd this specific link it looks like. An image I uploaded about an hour ago seems to be working still.  is the data it returned for the 403'd image. Here's  some Ruby code if you want to try it out yourself