Basically the browser (at least Edge/Chrome) verifies the request the same it does when connecting to the requested URL.

So I usually make sure the service as well accepts a "GET" to which I forward the user (as in window.open(), prompt to click a link, or similar) when I detect that the connection fails. With that, the user can run through the usual "accept" process for the certificate.

After this, also the XHR works for me.