CORS Error when application is set to allow

Stumped on this for a while now. Getting a CORS error like:

Access to XMLHttpRequest at ‘https://auth.domain.com/dbconnections/change_password/challenge’ from origin ‘https://dev02.domain.com’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

In our account, Cross-Origin Authentication is turned on and contains all our subdomain URLs and even a wildcard, but loading Lock v12.5, triggers these errors.

Any idea how to get rid of these? This happens before any authentication attempt.