CloudFront: No 'Access-Control-Allow-Origin' header is present on the requested resource

[golenkovm]

After configuring CF as described [https://github.com/catalyst/moodle-tool_objectfs/blob/master/CLOUDFRONT.md] I had an error with H5P activity https://h5p.org/virtual-tour-360:

Access to image at 'https://my_cf_domain.cloudfront.net/ce/15/ce157b693b885b670fbb7c3f7e938d6b1993b7c4?response-content-disposition=inline%3Bfilename%3D%22scenesrc-5c6528d79e311.jpg%22&response-content-type=image%2Fjpeg&Expires=nnnnnnnnnn&Signature=xxxxxxxxxxx&Key-Pair-Id=yyyyyyyyyyyyyy' (redirected from 'http://localhost/pluginfile.php/1/core_h5p/content/1/images/scenesrc-5c6528d79e311.jpg') from origin 'http://localhost' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

As I can see the request like this should have access-control-* headers in the response:

In fact they didn't have access-control-* headers. File invalidation in CF didn't help [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html]. I checked all CF settings, compared them with other working environments and everything seemed to be fine. I gave up late night, but early morning it was all working as expected. No change was made overnight. Requests had access-control-* headers. The issue just gone. This seems to be some AWS-under-the-hood stuff.

After deleting everything and starting over from scratch I wasn't able to replicate the issue. All worked straight away. I thought that AWS just playing games with me, but @ilyatregubov also faced this issue as part of https://tracker.moodle.org/browse/MDL-70323 review.

At this stage I don't have a working solution (exept waiting).