After discussions in the Azure Support Forum:
https://learn.microsoft.com/en-us/answers/questions/5530153/apim-cors-options-request-500-error?comment=question&translated=false#newest-question-comment

It seems wildcard subdomains are not possible in APIM.

All approaches failed: with directly in allowed-origins oor via expressions and context variables.