For example, you set the origin to Twitch.tv, but your code isn’t running on the website Twitch.tv it’s running from your Command Prompt.
It’s misleading as basically “you lied (or can lie) about where the code/client is connecting from”. See also section 4.2.1 (subsection 7) page 20.
Some Servers will validate the origin header to ensure it’s from an accepted/permitted location (or origin). (4.2.2 sub section 4 page 22, and section 10 (security considerstions page 50)).
As per the linked RFC/speification
The request MUST include a header field with the name |Origin| [RFC6454] if the request is coming from a browser client. If the connection is from a non-browser client, the request MAY include this header field if the semantics of that client match the use-case described here for browser clients. The value of this header field is the ASCII serialization of origin of the context in which the code establishing the connection is running. See [RFC6454] for the details of how this header field value is constructed.
It’s required for Browser Clients, but not for “desktop/command line clients”
Please refer to the WebSocket Protocol RFC/Specification I linked. The RFC document covers how a client should construct and connect to an RFC compliant server. And the general meanings/usage of each header in a client to server configuration and describes the responses the server will give.
Item 7 on page 18 of the websocket specification also describes this. But doesn’t provide a code example. Since it’s just an RFC.