Update: I realized that I was missing the additional origins in my CORS initialization, so I changed this to include URLs for both staging and production branches. Now, however, it seems I am getting a different error:

Access to fetch at 'https://staging.<our_url>.com/auth/signinup/code' from origin 'https://production.<our_url>.com' has been blocked by CORS policy: Request header field st-auth-mode is not allowed by Access-Control-Allow-Headers in preflight response.

Followed by a POST request failing:

POST https://staging.<our_url>.com/auth/signinup/code net::ERR_FAILED