Please note that as of version 142, Chrome has deprecated Private Network Access in favor of Local network access restrictions. I can confirm that attempting to send a CORS request to a domain that resolves to a private IP address without the permission enabled results in an error like the following:

Access to XMLHttpRequest at '<resource-url>' from origin '<origin>' has been blocked by CORS policy: Permission was denied for this request to access the `unknown` address space.

Ensure that you have the following permission enabled on the affected site(s):

For more information, see this blogpost.

As for the original questions:

Is Chrome blocking this due to Private Network Access (PNA)?

As far as I know, PNA only blocked requests from insecure contexts. But this has been deprecated as well.

PNA CORS preflight requests (i.e. access-control-request-private-network/access-control-allow-private-network headers) was supposed to be enforced in Chrome 130 but it was ultimately put on hold before PNA was deprecated. Thus, it's very unlikely that PNA is blocking your requests.

Is there any server-side configuration that can allow this pattern?

There's no way to control this from an HTTP server since this is a security feature designed to protect against malicious HTTP servers.

Is removing the internal DNS override the only reliable fix?

Removing the internal DNS override should remove the need for the permission since it will no longer be considered a local network access request.

Would routing all API calls internally through a reverse proxy (so the browser always hits a public endpoint) avoid PNA issues?

Just like the DNS approach, this should also do the trick.

Is there any recommended approach for environments where public domains resolve to internal IPs only on specific networks?

In corporate environments with managed devices, Chrome policies can be used to enable the permission on a list of domains.