I had a similar problem due to a "terminate-unmatched-request" set as true in my API Management. Turns out that swagger and server were not exchanging security-policies properly and the API management terminated, as the attribute says, the unmatched request. I am still investigating details, but these links, I hope, may help you.
https://learn.microsoft.com/en-us/azure/api-management/cors-policy#attributes
https://learn.microsoft.com/en-us/answers/questions/1527379/empty-response-body-in-api-management-developer-po