Cross-domain API POST with cookie auth fails due to CORS policy

Not sure if my title is correct or not.

I have an application in the same domain as my gitlab server:

https://app.same-domain.com

https://gitlab-instance.same-domain.com

I want the app to be able to post issues to the gitlab instance. However I'm getting an issue with the post.

Here's the error: XMLHttpRequest cannot load https://gitlab-instance.same-domain.com/api/v4/projects/32/issues. Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'https://app.same-domain.com' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

I'm not sure how to interpret this error or solve it. I've tried withCredentials being both true and false with no change in the outcome.

Is there access to the CORS headers for the gitlab-instance somewhere?