As a test, try the following and let us know if you are successful:
In the VSM, ensure that your REST protocol DPH allows a URI rule of OPTIONS /<theuri>/<string> where <theuri>/<string> matches your needed URI.
You will need one OPTIONS for each URI that needs to be "pre-flighted". This varies for example GET requests may not need to make the OPTIONS call.
In the VSI for each OPTIONS REST DPH rule, add a transaction to support the OPTIONS call
OPTIONS /<theuri>/<string>
Since there are no arguments, you might get away with setting the match style to Operation.
I cannot say which response headers are required in your installation, but, in the response META data, add the necessary headers that the Live System echos with the options that are available.
For example,
Allow=OPTIONS,POST,GET
Access-Control-Allow-Origin=*
Accept, Accept-Language, Content-Type, Last-Event-Id, etc.
Also, you may need to remove headers that are not considered safe by your implementation.
Give this a try and report back on what you find out. This will be helpful to others dealing with CORS issues.