CORS is enforced by browsers, not servers. When a script at https://app.example.com tries to fetch from https://api.other.com, the browser checks the response's Access-Control-Allow-Origin header before letting your script see the body. If the server didn't opt in to your origin, the browser blocks access — even though the request did happen.
CORS is exclusively a browser concern. curl, server-to-server, mobile apps all ignore CORS headers entirely. Almost every "CORS error" is really a server misconfiguration: missing Access-Control-Allow-Origin, or the wildcard combined with credentials (the spec explicitly forbids that pairing).
Debugging CORS requires a real browser request. Server-side curl tools that "test CORS" are misleading because they don't enforce the policy. Use a tool that runs in-browser like /tools/cors-tester.