We use the following in the Startup.cs Configure() method. It works with an Azure Web App too assuming you're not using the *.azurewebsites.net domain.
app.Use(async (context, next) =>
{
context.Response.Headers.Add("Content-Security-Policy", "frame-ancestors 'self' https://localhost:5000 https://*.yourdomain.com");
context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
await next();
});