Well - I'm feeling a little confused and even more stupid...
I identified that $ENV{'DOCUMENT_ROOT'} could be the problem and hardcoded them and still came up with the problem. But now I hardcode them again I cannot replicate the problem - in other words, it works!

Here is a working example, in case anyone stumbles along this path as much as anything else

#!/usr/bin/perl -T

use strict;
use warnings;

use CGI::Carp qw(fatalsToBrowser);

use FindBin qw($RealBin);
my $safepath;
BEGIN {
    if ($RealBin =~ m!^(/home/...path.../(test|uk)/www)!) {
        $safepath = "$1/../lib";
    } else {
        die "Insecure access!";
    }
}
use lib "$safepath";

use cPanelUserConfig;
use PDF::API2;

my $pdf  = PDF::API2->open("/home/...path.../test/data/xmas/GiftSubscr
+iption.pdf");
my $font = $pdf->font("/home/...path.../test/data/xmas/Merriweather.tt
+f");

my $page = $pdf->open_page(1);
my $text = $page->text;
$text->font($font, 36);
$text->position(656, 403);
$text->text('XXX');

print "Content-type: application/pdf\n\n";
print $pdf->to_string;
[download]

I can only assume that I hardcoded one environment variable but not the other but that seems pretty strange. I don't know what I did or didn't do to keep the problem whilst I thought I had got rid of $ENV{'DOCUMENT_ROOT'}.

Now I need to go back to the environment variables and untaint them with some sense checking.

Sorry for a bit of a wild goose chase
I'll go back to watching fireworks...