Offload HTTPs causing CORS error on EKS

After enabling HTTPS with type offload I get 403 errors like:
API request failed (403): Action is not authorized with current scopes; requires any of [delete:servers]
on certain hub requests (while setting up a notebook instance or trying to stop a server) when I activate https offloaded to the AWS load balancer.

Checking on the hub pod logs I see this message:

[W 2023-02-23 17:35:19.725 JupyterHub base:89] Blocking Cross Origin API request.  Referer:, Host:, Host URL:
[W 2023-02-23 17:35:19.726 JupyterHub scopes:804] Not authorizing access to /hub/api/users/xxx/server. Requires any of [delete:servers], not derived from scopes []
[W 2023-02-23 17:35:19.726 JupyterHub web:1796] 403 DELETE /hub/api/users/xxx/server (::ffff: Action is not authorized with current scopes; requires any of [delete:servers]
[W 2023-02-23 17:35:19.727 JupyterHub log:186] 403 DELETE /hub/api/users/xxx/server (@::ffff: 3.60ms

So it seems the error behind the 403 is a CORS issue because of the HTTPS.

I’m using a EKS cluster in AWS set up following zero-to-jupyterhub instructions. The proxy config is:

    enabled: true
    type: offload
    annotations: "true" "arn:..." "tcp" "https" "3600"

As described here.

My setup is working if I use a letsencrypt certificate. It also works well when accessing with http.

I tried several ways to override the CORS as described in several similar issues without luck. What’s missing in the setup to allow for an offloaded https certificate?