I don't think you can keep the URL from changing while using a WordPress page. At least, everything I could think of to get the original URL in any way failed miserably when I tested it. If maintaining the URL is extremely important, you might have to live with a custom html/php file that's not connected to WordPress. Or you could try loading WordPress in that custom php file. Since the purpose of hiding things behind a 403 is to keep them out of sight, I would think maintaining the URL isn't needed in most cases. For a tiny bit of context, you could put some kind of message on your custom 403 page like:
Whoa there buddy. You're not allowed there. The server, in it's infinite graciousness, has redirected you to this page instead of kicking you in the butt. If you think this is an error...blahblahblah.
As for the second problem, couldn't you edit the .htaccess file before uploading it to your production site? If you want to use a URL that's not domain specific you could use something like:
ErrorDocument 403 /index.php?p=72
Where "72" would be the page ID of your custom page. It's still specific to a single WordPress install though.
The initial request is responded to with a 302 which redirects the browser to your new page. The new page then sends a 200. You can check the initial response by using something like:
It is true though, that it's the final response (200 in this case) that really matters.