If you are looking to prevent CORS, you could directly use the cors policy.
That being said, you could simply use the check-header policy to look at the Host
header for the URL used by your client but note that the value of the header can be spoofed from untrusted clients. While browsers add that header by default (and can't be changed), other clients, like Postman for example, could be used to insert any host header value required.