No 'Access-Control-Allow-Origin' header in POST https://expo.io/--/api/v2/snack/uploadCode

expo SDK version: 36.0.0
snack-sdk version: 2.3.6

I have a React web client that takes a user’s code and publishes an Expo snack for the user (under a shared account under my control, not to a user’s own Expo account).

The publish fails at two steps with a CORS No 'Access-Control-Allow-Origin' header is present error:

  1. session.sendCodeAsync(files)
  2. session.saveAsync() (same failure as above)

The failures above are coming from http://localhost-studio.code.org:3000, but the same requests fail in the same way in all environments (production being https://studio.code.org).

Additional but possibly irrelevant context: Prior to the requests above, requests to session.uploadAssetAsync(downloadedAsset) complete successfully. Its response includes the header access-control-allow-origin: *, whereas the responses from the failing requests above obviously do not contain that header.

Am I missing a configuration step? Am I approaching this incorrectly?

I have manual steps that I can supply as well (this feature is available in a production environment behind a feature flag).

Any help is greatly appreciated!