A month ago, Twitter changed the permissions for OAuth apps and some of the URLs.
In twitter.py, GetDirectMessage(self, user, text) declares the url to be "%s/direct_messages.json", but this should be "%s/1/...", see:
https://dev.twitter.com/docs/api/1/get/direct_messages
When I updated the URL, I was still getting a 403. The response is:
{"errors":[{"code":93,"message":"This application is not allowed to access or delete your direct messages"}]}
This is due to a relatively recent change in how Twitter deals with OAuth:
https://dev.twitter.com/docs/application-permission-model/faq
To fix this, the twitXBMC application needs to update the required OAuth permissions from R/W to R/W/DM