HSTS doesn't really apply to APIs. HSTS is for browsers and only browsers enforce them when dealing with rendering. API calls can, in theory, include them but they have no effect, by design. Refer to the docs here where it discusses this in more detail.
APIs should require HTTPS only and HSTS becomes a mostly mute point after that. If you really, really want to include HSTS headers, even though they have no effect, then you should first confirm it is working locally. Then confirm that you have the calls in the right order. Many of the extension methods require that you call them at specific points in the creation pipeline otherwise they don't work. This is one of the troubling issues with the ASP.NET pipeline. The docs I mentioned earlier show where in the pipeline these calls need to happen.