Found the reason.
Starting with Chrome 85 (and probably the rest of the browsers will follow suit, Opera already did), browsers will automatically block all cookies that request SameSite=None on insecure cookies: https://developers.google.com/web/updates/2020/07/chrome-85-deps-rems#reject_insecure_samesitenone_cookies
For those wondering, the fix requires all cookies that have SameSite attribute set to None, to also be available only on Secure connections (HTTPS).
@rosssimpson - perhaps it’s time for Envato to consider a javascript based header/frame/floating thing (with a “Buy now” button or something), rather than an iframe. The restrictions around loading websites in iframes are becoming tighter and tighter and I wouldn’t be surprised if in the future, they’ll completely drop the support for it.