The external control API worked fine for me until a couple days ago. Looks like my Roku 2 got updated to "Software version 8.1.0 * build 4131-04", and since then, I only get 403 Forbidden.
$ curl -v http://roku:8060/keypress/Right
For security reasons, you will need to use the target IP address directly rather than your local DNS alias 'roku'.
The same DNS rebinding attack vector is also found on Roku devices (CVE-2018–11314). The researcher says that Roku devices expose an API server on port 8060, accessible from a user's internal network.
An attacker could use a DNS rebinding attack to send requests to this API server and control basic device functions such as launching apps, searching, playing content, and even simulating keys input using a virtual keyboard app.
curl -vvv http://$(dig +short +search roku)/...
from roku import Roku
r = Roku(socket.gethostbyname('roku'))