Sorry for the delay in responding as I had to work with various teams within to better understand into this issue.
Could you please ensure following has been updated for application:
• Client side, for XHR request, the ‘withCredentials’ property must be explicitly set to ‘true’.
• Client side, for Fetch, the ‘credentials’ property of settings must be explicitly set to ‘include’.
• Server side, ‘Access-Control-Allow-Credentials’ headers must be added and set to ‘true’.
The first two is to let the browser bring credentials while sending the request, in our case, the credentials are cookies.
The third one is to let the browser expose the response to the JavaScript, if credentials are sent, but the response does not contain this header, the request will fail.
Details can be found here: Understand and solve Azure Active Directory Application Proxy CORS issues | Microsoft Learn