Yes, just confirmed the fact that this is a Safari only issue. Only Safari seems to be doing this, we don’t return a 403 so this must a CORS failure. Perhaps Apple is sending additional headers on the request when using Safari that need to be accounted for in the Allowed headers.
I added GET to the allowed methods for CORS and it works that seems to allow it to work in Safari. Please test and let me know.
The redirect workflow looks to be different in Safari when using native controls vs Chrome or other browsers.