It is recommended not to use App Service CORS and your own CORS code together. When used together, App Service CORS takes precedence and your own CORS code has no effect.
Cross-Origin Resource Sharing (CORS) support for Azure Storage is not supported with static website.
Just to highlight, since app service is a multi-tenant service instead of a dedicated deployment, it uses host header in the incoming request to resolve the request to the correct app service endpoint. Usually, the DNS name of the application, which in turn is the DNS name associated with the application gateway fronting the app service, is different from the domain name of the backend app service.
As far as options for your app architecture, by using VNet Integration to connect your front-end web app to a subnet in a virtual network, which enables your web app to make calls into your virtual network.
1.Expose your API application by using private endpoints in your virtual network.
2.Use service endpoints to ensure inbound traffic to your API app comes only from the subnet used by your front-end web app.
- Kindly let us know, we may need additional App and sub info to investigate this issue further.