I believe the URL you are requesting is already cached with the CORS response and you need to invalidate it first.

Your CloudFront configuration shows that you are not caching "OPTIONS" methods, so the preflight calls will be accessing non-cached version of the URLs - allowing the CORS test site to return a successfuly response, since it never executes the actual GET request. However, GET is cached by default, so if you tested this access before setting these header configurations on S3/CloudFront, you would be still getting the cached response.