Spoofing a User-Agent by itself is not illegal. Browsers, curl, bots, monitoring tools, and privacy tools do this constantly for legitimate reasons.

The legal risk comes from why you are doing it and what protections you are bypassing.

If you are doing it specifically to bypass Bambu's authorized access, then it is very likely to fall afoul of the Computer Fraud and Abuse Act. The mechanism (spoofing the UA) is entirely incidental to the motivation (bypass authorized access), which is what the law cares about.