It seems you're encountering a CORS-related issue because your backend Azure Web App is set to private, and the requests made via the frontend (client-side) are coming from the user's public IP, which is being blocked due to the private endpoint configuration. Here's a potential approach to solving the problem:
API Management with Private Endpoint Support: Since you're already using API Management, consider configuring the API Management gateway to handle requests from the frontend. This way, the gateway (which resides inside the virtual network) makes the requests to your backend, bypassing the need for the CORS request to come from the user's public IP.
Private DNS Resolution: Ensure that the private DNS configuration for the private endpoint is resolving correctly within the virtual network. Sometimes, misconfigured DNS settings can cause issues when accessing the backend from private IPs.
Reverse Proxy: Implement a reverse proxy within the same VNet as your frontend and backend apps. The proxy can forward the requests from the frontend to the backend, effectively bypassing the CORS issue, as the requests will be seen as internal traffic.
Custom NSG Rules: If you want to allow CORS requests from specific IP addresses, consider updating your Network Security Group (NSG) to allow traffic from the range of IP addresses that your users might be coming from (e.g., whitelisting the public IPs of your users or the front-end).
Hybrid Approach: A combination of enabling both public and private endpoints (for internal and external traffic) while restricting access through security policies may work. This can ensure internal traffic stays private while CORS requests can still function.
These solutions might depend on your overall architecture, but the key here is to ensure requests made client-side (from outside your VNet) have a path to the backend, whether through a proxy, a public endpoint, or an API gateway.
Let me know if you need more clarification or help implementing any of these ideas!