Is your CMS running on HTTPS? If yes, run the MVC app on HTTPS, too.
Which Kentico version do you use?
When registering CORS you may could do something like this to avoid issues on dev instances.
// Allow every kind of origin, header or method while developing
// CORS = cross origin requests.
// see also: https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0