We have an LWC that works perfectly in all orgs.
We use Lightning Out in a VF Page to display the LWC in multiple orgs.
In only some of those orgs, we are starting to see a CORS issue due to the static resource being served by a different url than the CORS header accompanying it.
We have tried making the static resource private and public, same problem.
The problem goes away for a user, if that user goes to setup and downloads the static resource (it will still remain for other users in the org until they do so too though).

Here's the actual CORS error (sanitized for privacy) from the browser dev console:
Access to XMLHttpRequest at 'https://acme--c.visualforce.com/apex/VFPage?id=a026g00000F6SkOAAV&isdtp=p1&sfdcIFrameOrigin=https://acme.lightning.force.com' (redirected from 'https://acme--c.na174.visual.force.com/apex/VFPage?id=a026g00000F6SkOAAV&isdtp=p1&sfdcIFrameOrigin=https://acme.lightning.force.com') from origin 'https://acme--c.na174.visual.force.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.