The spec is not clear what should happen in this circumstance. However, I do believe that the 403
forbidden is the more correct response.
The form error page is intended to be displayed when an authentication error has occured during logon (wrong username or password). In your case, their is no
problem with authentication, you simply have insufficient
priviledges to view the requested page.
Note that you can use the error page mechanism to provide
a custom page for 403 responses.