The CORS error might be caused by one of the following:
The right CORS headers weren't sent in the initial request (e.g. missing the Origin header)
The OAuth client used to obtain the token isn't configured with 172.18.206.82 as the host of one of the redirect URIs in the config. Client credentials don't have any redirect URIs configured; therefore, injecting client credentials tokens into a browser won't work.
if the request is mangled in such a way that the API can't successfully match the request to a known API route, it can't look up what authorization is required for the route, therefore doesn't know what auth provider to use to validate the auth token, and therefore can't look up what domains are valid redirect URIs so it defaults to no CORS headers. That's a possible answer to why some requests work and others don't in the same app or with the same token.
Thanks, I tested from a page that uses token implicit grant to get a token without error. I get the errors from a page that is using a token that I get from the embeddable framework integration using client Id from a token implicit grant I added to my framework.js file. I do see the orgin header and I tried adding the redirect URI.
I would like to be able to just use the embeddable framework to set wrap-up code on an interaction but that doesn't seem possible. So I am trying to use REST APIs to set wrap-up.