The issue is that the browser has no AWS IAM credentials, this issue does not have anything to do with CORS, you would receive an error from the browser, not from s3. If you want to make requests from the browser you will either have to create an s3 presigned url as Asfar Irshad and Luk2302 suggested:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html
Or you will have to add the authentication signature to the request headers yourself: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
You can also make the objects publicly accessible or go through a cloudfront distribution. In general it's not great to always go through s3, with cloudfront you get caching at the edge and it is cheaper than going through s3 every time.