Hello.
Try creating a config file in /var/www/domain.tld/conf/nginx/cors.conf
with the following content:
more_set_headers 'Access-Control-Allow-Origin: https://sub.domain.tld';
Then reload nginx:
nginx -t && systemctl reload nginx
Check that header is present:
curl -LIk domain.tld 2>&1 | grep -Fi access-control