This is a CORS common headache. I suggest that you test via a browser (preferably Chrome, because it can be very strict) and check the request transactions via the Network tab in Devtools. Look for the "preflight" line and review the results.

I'm guessing that you'll need to add a couple of headers. Also, CORS can frown upon "allowedOrigins: '*'. I think it prefers specificity.

So research CORS preflight and the expected headers.

Note, curl and to other non-browser tools for testing requests do not do the "preflight" OPTIONS request, which is a browser security thing.

Good luck.