I don't know much about CORS, but WebDav uses a lot of methods in addition to GET, POST, and OPTIONS. In addition, it uses: DELETE, PUT, COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, and UNLOCK. Perhaps those need to be added to the "cors.allowed.methods" section.

I see that the request above uses POST, however, so the other idea is permissions or CSRF checking.