Thank you for reaching out to Microsoft Q&A
You can use APIM named values to set the allowed origins in your CORS policy. This will allow you to have different values for each environment, and you can update the named values independently of the policy.
To achieve this, you can modify the CORS policy to use the named values by using the following syntax:
context.Variables["AllowedOrigins"] below references the named value that contains the list of allowed origins. You can set this named value in each environment with a comma-separated list of allowed origins.
For ex:
you can set the named value to http://localhost:6432/ in the development environment
https://xyz1.net,https://xyz2.net and https://xyz3.net in the production environment
<cors allow-credentials="true">
<allowed-origins>
<origin>@(context.Variables["AllowedOrigins"])</origin>
</allowed-origins>
</cors>