Your CloudFront configuration is already working well and supports CORS request.
It's the way you are loading the panorama viewer, remove the requestHeaders and withCredentials field, so your code becomes
panoramaViewer = new Viewer({
container: viewerElement,
panorama: imageURL,
});
The requestHeaders isn't doing anything in this case because both Sec-Fetch-Mode and Origin are forbidden request headers, meaning they can't be modified.
As for the withCredentials, you don't need this, since you are not sending any credentials (Authorization or Cookie headers). Plus, having the Access-Control-Allow-Origin set to *, will trigger an error making your request fail.
Failed to load resource: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
Here is a working demo with the correct code showing the panorama