A side effect of using Cloudflare Access with service tokens and XHR requests is the pre-flight OPTIONS request is always triggered due to non-standard headers for authorizing the request, i.e.:
CF-Access-Client-Id: <Client ID> CF-Access-Client-Secret: <Client Secret>
When the pre-flight (OPTIONS) request is made, it is done without these headers, so you are no longer identified, and the OPTIONS request results in a redirection or 403 failure depending on configuration, and does not allow you to to allow browsers access using the header values.
There are number of ways to overcome this side effect, client proxy is simplest, but it would be great to have a way to have separate rules for pre-flight requests, so they can succeed even without the Cloudflare identity headers.