glad to read that we've finally found the root of your issue .
You need to know that SCORM (1.2) - which is an application profile i.e. a collection of standards plus best practices - tooks many parts of the work done by the AICC Group especially for the tracking both data & mechanism - which gives vendors the ability to apply their tracking logics thanks to the talking with the LMS "just" using Standards and not a Vendor locked-in solution - dropping just the HACP part.
What makes the difference between the two tracking mechanisms is HACP, an HTTP (POST) based tracking protocol, while SCORM relies on a Run Time Environment (RTE) based on an ECMA Script based API implementation. Vendors who don't want to distribute their content in a self-contained learning package (almost a requirement for SCORM) need to use AICC and HACP to allow external tracking to let their package work out of the box. SCORM RTE technology simply fails when the content is hosted in a different domain - compared to the one of the LMS - due to the so called SCORM cross domain (security, from a browser POV) issue unless IT or LMS takes care of that content configuration with some extra effort in finding a "working configuration" for the tracking (proxy is the key, at system or LMS level).
That being said, it depends also on the security a Company is used to apply in deploying their applications: here, in case of more vendors in the future, you can trust Moodle to expose mod/scorm/aicc.php to the internet, even if you have "opened" it by enabling External AICC HACP.
P.S.: if this post and/or the previous ones has/have been useful please rate it/them . TIA!