The problem was in fact a DNS issue.
file_get_contents() was bizarrely routing through our backup nameservers (ns3 & ns4) for some reason, while browsers were routing through the primary nameservers (ns1 & ns2). Unlike the primaries, the backups point to a different server, which does not yet have identical files - hence the unusual 404.
I had set up these backup nameservers only a few hours before tinkering with the firewall etc and by the time they propagated, it looked very much like the ssh commands had taken
Thanks for all the comments guys - very much appreciated.