Websocket: Request origin not allowed

We have a self-managed GitLab CE cluster on K8s, deployed using the official chart (running behind self-deployed Traefik).

While looking in the logs for the webservice container I noticed a frequent number of these errors:

{"component": "gitlab","subcomponent":"production","level":"info","time":"2023-01-18T14:25:43Z","message":"Started GET \"/-/cable/\" [WebSocket] for xxx.xxx.xxx.xxx at 2023-01-18 14:25:43 +0000"}
{"component": "gitlab","subcomponent":"production","level":"unknown","time":"2023-01-18T14:25:43Z","message":"Request origin not allowed: https://gitlab.example.com
{"component": "gitlab","subcomponent":"production","level":"unknown","time":"2023-01-18T14:25:43Z","message":"Finished \"/-/cable/\" [WebSocket] for xxx.xxx.xxx.xxx at 2023-01-18 14:25:43 +0000"}

I found a similar issue (#386782 (closed)) which mentions it being a L8 issue and this user has resolved the issue by fixing headers their Apache sends to the GitLab Webservice.

However, when I check the headers it received using an echo-service container I see the correct headers are being sent:

Host: gitlab.example.com

.....

X-Forwarded-For: xxx.xxx.xxx.xxx
X-Forwarded-Host: gitlab.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-fz2rc
X-Real-Ip: xxx.xxx.xxx.xxx

Is there anything I need to change, perhaps in my Traefik config for this to work?