This question already has an answer here:
Is there any limitation/issue setting/thowing
403 the usual PHP way?
header('HTTP/1.0 403 Forbidden'); die('You are not allowed to access this file.');
Modern PHP CMS/frameworks tend to abstract HTTP protocol as Request/Response.
WP comes from older times and has a very weak concept of HTTP response. Essentially it follow “classical” just throw stuff on a page model.
As such there is no “clean” way to work with headers in it.
De facto approach is just to use some appropriate hook to output custom headers and interrupt remainder of page load, if necessary. Most typical hook to do this on it traditionally