Speachless about your warning about direct browser access to your API.
Sorry to say that, but I am speachless and question the attitude of your technical team when reading your warning that you are heavily against accessing an api directly from a browser and that you have prevented that by setting CORS.
I think the truth is more: your API is not very well designed and because of this you need such measures. There are enough widely acknowledged and considered "secure" ways to communicate from a browser to an api like Oauth etc but your API is not supporting that.
Oauth is an absolute standard these days and it was promised for a long time now together with a more powerful and "full featured" api 2.0 but instead delivering on these promises your solution is "prevention by CORS"?