Presently, the Donor Dashboard throws authentication (forbidden) errors for the REST API calls on the Donor Dashboard when being used on a subdomain multisite. The issue is specifically seen when the Donor Dashboard is being used on the subsite.
The user reporting the issue has the cookies opened up properly, so if the primary is and the subsite is, the cookies are set to — which should make it available to all subsites.