Poloniex C# Trading API webRequest comes back (403

I have my code down to the essentials for testing access, but am receiving the good old error(403) from the server, I have verified for double-sure I am using the correct API Key/Secret pair. My Code (C# via Unity 3D) is as follows:

using System.Collections;
using System.Collections.Generic;
using UnityEngine;
using System;
using System.Security.Cryptography;
using System.IO;
using System.Text;
using System.Net;

public class PolonScript : MonoBehaviour
{    
    public TextMesh OutputText;    

    const string _apiKey = "---apiKey---";
    const string _apiSecret = "---apiSecret---";

    void Start()
    {   
        string nonce = DateTime.Now.ToString ("HHmmss");      

        const string WEBSERVICE_URL = "https://poloniex.com/tradingApi";
        try 
        {
            var webRequest = System.Net.WebRequest.Create (WEBSERVICE_URL);
            if (webRequest != null) 
            {
                webRequest.Method = "POST";
                //webRequest.Timeout = 12000;
                webRequest.ContentType = "application/x-www-form-urlencoded";    

                byte[] dataStream = 
                    Encoding.UTF8.GetBytes("command=returnBalances&nonce=" + nonce);    

                webRequest.Headers.Add("Key", _apiKey);
                webRequest.Headers.Add("Sign", genHMAC (dataStream));   

                Stream newStream = webRequest.GetRequestStream();
                newStream.Write(dataStream, 0, dataStream.Length);
                newStream.Close();    

                using (System.IO.Stream s = 
                        webRequest.GetResponse().GetResponseStream()) 
                {
                    using (System.IO.StreamReader sr = new System.IO.StreamReader(s)) 
                    {
                        var jsonResponse = sr.ReadToEnd();
                        OutputText.text = jsonResponse.ToString();
                    }
                }
            }
        } 
        catch (WebException ex) 
        {
            OutputText.text = ex.ToString();
        }           
    }
    //end-of-start()

    private string genHMAC(byte[] dataStreamInput)
    {    
        byte [] APISecret_Bytes = 
               System.Text.Encoding.UTF8.GetBytes(_apiSecret);
        HMACSHA512 hmac = new HMACSHA512(APISecret_Bytes);    

        var signBytes = hmac.ComputeHash(dataStreamInput);    

        string HexDecString = string.Empty;
        for (int i = 0; i < signBytes.Length; i++)
        {
            HexDecString += signBytes[i].ToString("X2");
        }

        return HexDecString;    
    }
}

So why am I receiving the (403) Forbidden using accurate credentials?

I tried this to see the reason:

catch (WebException ex) 
{           
    OutputText.text = ex.Response.Headers.ToString ();
}

and receive the following

//Date: Sat, 14 Apr 2018 15:34:56 GMT
//Content-Type: application/json
//Transfer-Encoding: chunked
//Connection: keep-alive
//Set-Cookie: __cfduid=dd1b32592915674669120afbf8181141b1523720096; expires=Sun, 14-Apr-19 15:34:56 GMT; path=/; domain=.poloniex.com; HttpOnly
//Cache-Control: private
//Expect-CT: max-age=604800, report-uri="https://report-//uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
//Server: cloudflare
//CF-RAY: 40b73d4b8c98552e-ORD

I expect that is because your Sign header is not valid.

You can doublecheck if your sign function is ok using those fake nonce and fake secret, and verify that the sign is good

post data: nonce=123456&command=returnBalances
nonce: 123456
secret: 123456
sign will be: b56174398987d15deee73885ca178ba82c414c7f27e763a9aa3cfc41c5b1373980ed83638bbf8c66dc62c20cbf35e770ad264af8571d22bc7c96fae9740dac0

If the sign is different please share your genHMAC code function.

You may try this version to generate the sign header:

private readonly string _apiKey = "123456"; 
private readonly string _apiSecret = "123456"; 
private long nonce = DateTime.Now.Ticks;




private string CreateSignature()
{
    //string msg = string.Format("{0}{1}{2}", _apiKey);

    return ByteArrayToString(SignHMACSHA512(_apiSecret, StringToByteArray(_apiKey))).ToUpper();
}

private static byte[] SignHMACSHA512(String key, byte[] data)
{
    HMACSHA512 hashMaker = new HMACSHA512(Encoding.ASCII.GetBytes(key));
    return hashMaker.ComputeHash(data);
}

private static byte[] StringToByteArray(string str)
{
    return System.Text.Encoding.ASCII.GetBytes(str);
}

private static string ByteArrayToString(byte[] hash)  //rimuove - e converte in bite
{
    return BitConverter.ToString(hash).Replace("-", "").ToLower();
}

Then:

   const string WEBSERVICE_URL = "https://poloniex.com/tradingApi";
    try
    {


        var webRequest = System.Net.WebRequest.Create(WEBSERVICE_URL);
        if (webRequest != null)
        {
            webRequest.Method = "POST";
            webRequest.Timeout = 12000;
            webRequest.ContentType = "application/x-www-form-urlencoded";
            webRequest.Headers.Add("Key", _apiKey);
            webRequest.Headers.Add("Sign", CreateSignature());     // keysecret 

            var postData = "&nonce=&command=returnBalances";
            var data = Encoding.ASCII.GetBytes(postData);




            using (System.IO.Stream s = webRequest.GetResponse().GetResponseStream())
            {
                using (System.IO.StreamReader sr = new System.IO.StreamReader(s))
                {
                    var jsonResponse = sr.ReadToEnd();
                    Console.WriteLine(String.Format("Response: {0}", jsonResponse));
                }
            }
        }
    }
    catch (Exception ex)
    {
        Console.WriteLine(ex.ToString());
    }

Source: https://bitcointalk.org/index.php?topic=1590683.0