No 'Access-Control-Allow-Origin' header is present on the requested resource (ASP.NET Core Web API 3.1 + Angular)

The frontend is angular SPA and the backend is ASP.NET Core Web API 3.1. The backend API contains only two endpoint: one public, one secured with [Authorize] attribute. I am able to login to the sample angular application, and also able to return data from the public endpoint. But once try to call the secured API, it returns the following error:

The Allowed Web Origins and Allowed Origins(CORS) are configured as such:

The app works fine locally. It only throws error when deployed to server.

Please help!