App Proxy, CORS and using Microsoft Entray ID for pre-authentication

Question

We have published an internal API externally using the App Proxy feature in Entra Enterprise Applications.

We are using this API in a SharePoint Framework web part, so we need to deal with CORS, as the client will be running in https://mycompany.sharepoint.com.

We've added HTTP Response Headers to the internal API's IIS configuration.

From our testing, we found that we need to set the App Proxy's Pre Authentication setting to "Passthrough" for this to work, otherwise we get CORS errors.

We can also get this working with Pre Authentication set to Microsoft Entra ID, but only if we also set up a segment. This complicates the setup as it also requires a custom domain, a CNAME and a wildcard SSL certificate for the custom domain.

The official documentation doesn't directly mention anything about the Pre Authentication settings impact on CORS. It does mention complex apps configurations, but we have found that this is necessary even for a simple app (one internal and external domain).

Is there a configuration that supports Microsoft Entra ID for pre authentication without using segments?