Thanks @nils,
The important thing here is what is happening in the browser, as that is where CORS errors may pop up.
I can see in your screenshot of the Network tab above that the request to /authorize is being initiated by “turbo”. I’m not familiar with that library but from reading https://turbo.hotwire.dev/handbook/introduction#turbo-drive%3A-navigate-within-a-persistent-process it looks like it may be attempting to do a cross-origin fetch of /authorize, which is not supported.
The OAuth 2.0 authorization endpoint is not designed to be called programmatically (for example using xhr or fetch request from Javascript) so you will need to disable Turbo for /authorize for this to work.