By following the instruction at https://developer.atlassian.com/cloud/trello/guides/embedding/embedding-cards/ (along with some digging through `embed.js` because embedding private cards requires providing a token, which is not documented), I was table to embed a test card within my web app.
The commenting form works just fine, but it's impossible to leave new comments. The issue is purely with the Trello embedding code - instead of sending `key` and `token` in the POST request to the comment API endpoint, it sends `data[key]` and `data[token]`, which results in HTTP 401. The reason it sends the data that way is because the code uses both `$.ajax` and `$.post` providing them with the same data - but those function require different inputs. Namely, `$.post` adds an extra wrapper around your input by putting it under that `data` key.
But even if that part is fixed, it still won't work because the code in `api.js` overrides the token by the value parsed from the cookie stored in the iframe. But AFAIK iframes don't have cookies nowadays - the token will always be `null`.