There’s potentially three components to consider.
jupyter-server:
jupyter-server-proxy: it’s a jupyter-server extension which mostly passes requests through so any CORS checks should be in jupyter-server, however it might be worth adding some debug logging in your proxied application to check what headers are being received
Your application that you’re proxying: is it also doing it’s own CORS checks?