[P1] configuration/apim: CORS preflight blocked for SWA origin

[Cataldir]

Problem

Frontend in SWA 108dev fails with CORS when calling APIM configuration endpoint.

Evidence

• Browser console error:
  • Access to XMLHttpRequest at https://tutor-108dev-apim.azure-api.net/api/configuration/themes
  • Origin: https://nice-flower-0be65ed0f.1.azurestaticapps.net
  • Message: No Access-Control-Allow-Origin header is present on preflight response.
• Live APIM policy for configuration-api currently includes only localhost origins:
  • http://localhost:3000
  • http://localhost:5173
  • Missing: https://nice-flower-0be65ed0f.1.azurestaticapps.net

Reproduction

1. Open https://nice-flower-0be65ed0f.1.azurestaticapps.net
2. Go to Configuration screen.
3. Observe request to /api/configuration/themes failing with CORS preflight error.

Impact

• User impact: Critical in dev environment (frontend cannot read configuration data).
• Blast radius: Cross-service API access through APIM for browser clients.

Acceptance Criteria

• APIM policy for all service-edge APIs includes current SWA origin for active environment.
• OPTIONS preflight to /api/configuration/themes returns Access-Control-Allow-Origin for SWA origin.
• Frontend Configuration page loads without CORS errors.
• A workflow-based remediation path exists (no manual portal edits required).
• Add automated validation to fail CI if required SWA origin is missing from APIM CORS policy.