It is a bit technical. I’m not even sure I can explain it well enough.
When you load the API URL in the browser it is loaded directly from the browser. When you fetch it the host that runs the fetch code is requesting a resource. The two are not the same. CORS blocking is a browser security feature.
The backend I posted has added the header using the cors package.