No 'Access-Control-Allow-Origin' header is present on the requested resource

It indeed looks like auth0’s cloudflare configuration problem.
/.well-known/jwks.json request doesn’t return any CORS headers, and changing settings doesn’t reset the cache (getting the same x-auth0-requestid)