Kong CORS plugin - Preflight not working

I’m trying to get CORS plugin working in Kong API. 2.5.1.0

Currently I get the following error in the browser:

Access to XMLHttpRequest at ‘https://api.domain/gateway/booking-management/2.0/users?userId=TI0003’ from origin ‘https://origindomain’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

HTTP Request for preflight looks like:

Request URL: https://api.host/gateway/booking-management/2.0/users?userId=TI0003
Request Method: OPTIONS
Status Code: 404 Not Found
Remote Address: ipaddress:443
Referrer Policy: strict-origin-when-cross-origin

Response Header

Connection: keep-alive
Content-Length: 48
Content-Type: application/json; charset=utf-8
Date: Fri, 18 Feb 2022 02:29:36 GMT
Server: kong/2.5.1.0-enterprise-edition
X-Kong-Response-Latency: 1

Request Header:

Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en-AU;q=0.9,en;q=0.8
Access-Control-Request-Headers: authorization,authorizationbasic,clientname,content-type
Access-Control-Request-Method: POST
Cache-Control: no-cache
Connection: keep-alive
Host: api.host
Origin: https://origindomain
Pragma: no-cache
Referer: https://origindomain/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36

yaml configuration has cors enabled at the service level (though I’ve also tried to add cors at route level)

Yaml version format version is: _format_version: “0.1”

config:
              credentials: true
              exposed_headers:
              - Authorization
              - AuthorizationBasic
              - ClientName
              - Access-Control-Allow-Origin
              - Access-Control-Allow-Methods
              - Access-Control-Expose-Headers
              headers:
              - Accept
              - Cache-Control
              - Authorization
              - Content-Type
              - ClientName
              - AuthorizationBasic
              - Content-Length
              - Access-Control-Allow-Origin
              max_age: 3600
              methods:
              - GET
              - POST
              - PATCH
              - HEAD
              - OPTIONS
              origins:
              - '*'
              preflight_continue: false
            enabled: true
            name: cors
            protocols:
            - grpc
            - grpcs
            - http
            - https

Below is the route. Note: I’ve tried adding Options method to main route, but below I have add seperate preflight route … to no avail

          - headers:
              ClientName:
              - DEMOPROD
            https_redirect_status_code: 426
            methods:
            - GET
            - POST
            - PUT
            - DELETE
            - PATCH
            - HEAD
            name: Demo_PROD_V2_Users
            path_handling: v0
            paths:
            - /gateway/booking-management/2.0/users
            plugins:
            - config:
                <acl auth>
            - config:
               <introspection auth>
            - config:
                <request transformer>
            - config:
                <route-by-header>
            preserve_host: false
            protocols:
            - http
            - https
            regex_priority: 0
            request_buffering: true
            response_buffering: true
            strip_path: true

and the preflight route:

headers:
              ClientName:
              - DEMOPROD
            https_redirect_status_code: 426
            methods:
            - OPTIONS
            name: Demo_PROD_V2_Users_Preflight
            path_handling: v0
            paths:
            - /gateway/booking-management/2.0/users
            preserve_host: false
            protocols:
            - http
            - https
            regex_priority: 0
            request_buffering: true
            response_buffering: true
            strip_path: true

The service uses keycloak for oauth2 introspection

- implementation:
      kong:
        service:
          connect_timeout: 60000
          host: keycloak.domain
          id: 9d67b5f2-9b65-4c69-8a01-03e9dacd335a
          path: /auth/realms/{realmname}/protocol/openid-connect/token

Any help would be greatly appreciated