Heads up! This blog post hasn't been updated in over 2 years. CodePen is an ever changing place, so if this post references features, you're probably better off checking the docs. Get in touch with support if you have further questions.
A sad state of affairs, really.
We were having a hard time replicating the issue. But ultimately we got the names of some of the different firewall products those companies were using and went to the websites for them. We tried requesting they unblock the files, but we could tell that was a fool's errand. Some of them offered a testing tool for testing an asset to see if it would be blocked. We found which asset of ours was being blocked. It was a script of course. Then we broke that scripts apart into the different individual scripts it was built from, and found out which script was triggering it.
There was absolutely nothing we found find in there that seemed like a problem. So we did a little test. We moved that script out onto it's own, and forced it to load over HTTPS. Our theory was that even a firewall can't read encrypted traffic. It worked! Or at least, so it seems. Nobody has reported this issue since.
Moral of the story: If you're having assets blocked by firewalls, hopefully you can work with the company to unblock it and solve it at the source, but if not, it seems like serving over HTTPS prevents the blockage.