Obviously you're running into the same origin policy. But, looking at their API, it seems like their API isn't meant to be loaded via inpage Javascript.

Normally to get around this, the API could implement Cross-Origin Resource Sharing which allows the requested resource to "white list" domains that can access it via AJAX. Or maybe use JSONP which would allow you to put script tags and call a function on your page. Lastly, you have your server application make the request to the API, and then return the result to the end user.

But since this API isn't designed with CORS or JSONP, and your private token would be exposed in plain text to the end user, I would highly recommend to make the request on a server application and return the result to the end user.