The first thing to check is the server error log after doing a test that causes the 403 error. Look at the error message and if it involves file access, check the given filepath very carefully. It is likely that it will be incorrect due to a hole in the way that you are handling requests for the subdomain versus the main domain.

A common problem is the use of page-relative on-page links ( e.g. <img src="image.gif"> as opposed to <img src="/image.gif"> ) combined with a failure to recognize and rewrite those links in the logic used to map subdomains to (sub)directories. Therefore, it's possible that the image requests in this case are being resolved to an improper filepath, and that that filespace is off-limits to HTTP requests.

The problem isn't anywhere as complicated as it sounds; This description is generalized and based on incomplete knowledge of the problem, and as such, can't be mcuh more specific or be put much more simply. The error log will likely be quite helpful in focusing the investigation.

Jim

Error log doesn't log this. It only shows that I'm missing 403.shtml, but that's irrelevant at the moment.
From raw access log I see that z.x.y.com/style.css sends GET /image.gif. However latest visitors from cPanel shows that I have asked for x.y.com/image.gif.
I'm not quite sure how different filetype requests are handled, but if all mys files are in the same folder and index.php can ask relatively for style.css then I have no idea why the same don't work with style.css asking for image.gif.

I have still no luck with images, so I'm going to contact my host.
But meanwhile I discovered something else I just can't explain. From what I know about internet then z.x.y.com and x.y.com/z are the same address. Or x.y.com/w can be the same if I've set that subdomain z gets its files from w folder.
I was experimenting with deleting and recreating my subdomain to see if that would make any difference with images and after I've deleted my subdomain, I reloaded the page to see 404 error, except that I didn't! There's another site at my former subdomain address. I tried searching for this site from Google but no results. Recreated my subdomain and refreshed the page, my page again. But if I can't access that page with another address (or at leastGoogle doesn't know it) and my subdomain was active before, then how is it possible that this site has an active forum?

Wow! That sounds like a very crudely-configured shared hosting environment, and one that I'd get away from fast!

Log into your site using FTP, and try navigating UP from your top-level domain. If you can get to other people's sites by doing that, then it's time to find a new host. Otherwise, you're just hacker-bait...

Jim

No, I can't go more up than I'm supposed to. But even so I think I've heard before that it only takes a php script to read other files on a shared server.
This phantom site seems to be visible only to my computer. Tried another network and got nothing. Tried browsershots.org and it gave an error too. So I'm seeing an active site at some generally accessible url that I don't know, but it also displays on my subdomain if it's not active. I'm wondering if that could be some cache between me and hosting server or what.

You might want to check out this phantom site. Is it one of those, "That domain doesn't resolve, so we will offer you a search box and throw ads in your face type sites, or is it another site on that same server (same IP address)? If either, I'd complain to the hosting company.

Back to your original question, you might want to check to see if you have anti-hotlinking code in your .htaccess file, or "hotlinking protection" enabled in your control panel. It may be that for the "site" where the image exists, the other site is considered an "external site" and therefore is not allowed to refer the image request.

Jim

Images were a .htaccess issue. Disabled hotlinking long time ago and forget about it. Just needed to add my subdomain to exceptions list.
This phantom site was some sort of forum for CS and seemed to be just another place for teenagers to hang out. I used tracert to both my top-level domain and subdomain and they were identical, so I guess we're on the same server. Need to ask my host about that.
Thank you for all your help!