Node.js

How can the site figure out that the request is not sent from the desired domain, but from the localhost?

Hello, the essence of the question is conveyed in the title, I can only add that we are talking about bypassing the 3ds protection of the p2p payment service of one of the banks. The task for its use, there is no desire to abuse this thing. So, I tracked the requests that the bank sends through a chain of sites with forms, each of which generates the necessary parameters for the request. Specifically, the problem is with ds1.mirconnect.ru. This site is throwing me a 500 error point blank, so I don't do it. I use axios, the data (paReq, MD and TermUrl) are also sent correctly, I specially decoded the paReq that my script generates and the paReq from a successful request through the site, they are identical in structure and correctly differ in values. I don’t know why the server can return a 500 error, there’s simply nothing to break, I checked the data through the text verification service, they are correct, I copied the headers from the original request from the browser and also substituted them, no cookies are required, I checked the worldconnect site, there are no cookies. Maybe someone dug there, tell me what I'm doing wrong. If you need any details, please let me know.
PS if I try to make a similar request using postmana and other things, it throws a 301 with a normal text ala "for technical reasons, the request could not be made"