The platform would not be causing the 403. It would never return a 401/403 for your app as it does not as I write this provide any authorization or authentication for apps running on it.
You would need to look at your app to see why it's rejecting the request with a 403 Forbidden. CORS is one possibility, but your app might also have RBAC restrictions and perhaps one of those is not right? Just guessing though as I'm not familiar with your app. Sorry.