Update:
Turns out this had nothing to do with CORS or with Angular's management of credentials - it had to do with Angular's lifecycle. See - I was calling CheckAuthStatus (a function that sends an httpClient request to and endpoint in my backend that expects a jwt token in an httpOnly cookie), from app.component.ts inside of an ngOnInit().
Apparently, even though I was subscribing to the observable returned from that function, angular doesn't check (likely because it can't as its an httpOnly cookie) that the credentials have been bound to the request by the browser before sending the request.
I figured this out by manually adding a button that calls checkAuthStatus, and the credentials came through! Leading me to the conclusion that it was a timing problem, rather than a configuration one.
TLDR: If you call a function in ngOnInit() without allowing time for angular/the browser to load, all credentials you send will send as null - as nothing is bound. Simply set a setTimeout or rxjs delay - and you're golden.