After 10 days of debugging, I found the root cause: I forgot to define the key and value in my Kubernetes ConfigMap in the Terraform config. This had several consequences:
The application received an empty list for `allowedOrigins` in the CORS configuration
The CORS filter couldn't match the request's origin against the empty allowed origins list
For preflight requests, the filter simply passed the request down the chain
Since I hadn't implemented any handler for OPTIONS requests in my application, it resulted in a 405 Method Not Allowed error