We were hoping it will work like this using a context to append the CORS header as we managed a similar implementation using an Apache server and the below rules in .htaccess:
RewriteRule ^api/(.*)$ http://domain.com/api/$1?apikey=12345678 [L,NE,P,QSA,ENV=CORS:true]
Header set...