Yes... ended up MS created a support case to investigate this. Apparently even though it's server side, API management needed to have CORS configured. This is what we set my endpoint's policies to (I had two origins listed for my company domain names):
<policies>
<inbound>
<base />
<cors allow-credentials="true">
<allowed-origins>
<origin>https://www.contoso.com</origin>
</allowed-origins>
<allowed-methods>
<method>POST</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>