tldr: curl's --data-binary argument normally specifies arbitrary data to send to the server. However, if the argument starts with an @, curl instead treats it as a filename, and sends the file contents to the server.

This technique is likely to work on anything with 'copy as curl' functionality, and may also work on some websites with SSRF where you control a request body or header name.

I wrote this up but full credit goes to Paul Mutton for reporting it to our bug bounty program, and agreeing to let us publish the technique.