I'll reach out to those who support click protect as I believe this may just be a conflict between the two systems.
Click protect is sending a URL with a unique path (/mwg-internal/de5fs23hu73ds), your on-premise MWG is recognizing that as something meant for it (your MWG), this results in the error.
We will likley need to have the click protect folks, change a global variable (de5fs23hu73ds) in their systems to be unique (Fe5fs23hu73ds) path so it doesnt interfere with MWG customers.
Actually, this just may be a bad link, do you have a SaaS case open at all? If not, you can open a MWG SR and I can take it over.
To clarify further, click protect is using MWGs to perform the scanning.