As far as I understand it everything should still work with permission. You just need to request permission first:
> the preflight requests will request permission from target websites to send HTTP requests with the header Access-Control-Request-Private-Network: true. If permission is granted, the response will carry the header Access-Control-Allow-Private-Network: true. "This ensures that the target server understands the CORS protocol and significantly reduces the risk of CSRF attacks," said Rigoudy and Kitamura.
> the preflight requests will request permission from target websites to send HTTP requests with the header Access-Control-Request-Private-Network: true. If permission is granted, the response will carry the header Access-Control-Allow-Private-Network: true. "This ensures that the target server understands the CORS protocol and significantly reduces the risk of CSRF attacks," said Rigoudy and Kitamura.