CORS policy problems


I’m running an webserver where a customer hosts Contao under www.domain.tld and Matomo unter matomo.domain.tld. He wants to connect both products an presents me with the developer console of chromium webbrowsers which says:

Access to XMLHttpRequest at 'https://matomo.domain.tld/matomo.php' from origin 'https://www.domain.tld' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

As I checked using “curl -I” matomo.domain.tld delivers such an header with origin * since we set this in matomos CORS settings. Contao itself does not deliver such an header - so I set up the apache2 VHost to do so. Also checked by “curl -I”.
But the error still keeps present.

What may be the reason for? Thanks in advance, Ronny