API Gateway using serverless-domain-mananger returns 403 error

When I use the custom domain https://api-dev.testapp.net or if I use the actual API Gateway generated URL the request returns an error:

    OPTIONS https://api-dev.testapp.net/dev/locations 403 ()

    Failed to load https://api-dev.testapp.net/dev/locations: Response to preflight request doesn't pass access 
    control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 
    'https://xxxxx0f67xxxxxe7963c04cxxxxx23bf.vfs.cloud9.us-east-1.amazonaws.com' is therefore not allowed 
    access. The response had HTTP status code 403. If an opaque response serves your needs, set the 
    request's mode to 'no-cors' to fetch the resource with CORS disabled.

I have set up an API where each path is a microservice, all pointing back to a custom domain name. Each stage also has a different domain.

I am using cognito for user authentication and as far as I can tell the authentication is functioning properly.

Here is a sample of my serverless.yml

service: testapp-location
  - serverless-domain-manager
  stage: ${opt:stage, self:provider.stage}
    prod: api.testapp.net
    test: api-test.testapp.net
    dev: api-dev.testapp.net

  basePath: "locations"
  domainName: ${self:custom.domains.${self:custom.stage}}
  stage: "${self:custom.stage}"
  createRoute53Record: true
    - models
  name: aws
  runtime: nodejs6.10
  stage: ${opt:stage, 'dev'}
    DATABASE_HOST: ${file(../../config/api/${self:provider.stage}.config.json):DATABASE_HOST}
    DATABASE_NAME: ${file(../../config/api/${self:provider.stage}.config.json):DATABASE_NAME}
    DATABASE_USERNAME: ${file(../../config/api/${self:provider.stage}.config.json):DATABASE_USERNAME}
    DATABASE_PASSWORD: ${file(../../config/api/${self:provider.stage}.config.json):DATABASE_PASSWORD}
  region: us-east-1

I have confirmed that the Route 53 entry has been set-up and pointing to the Cloudfront distribution.
The base path mappings are also set-up and the custom domains have valid TLS certs attached to them.

Things should be working, but I think I need a hand debugging this. Any help would be appreciated.

It’s a CORS error. Make sure you’re setting Access-Control-Allow-Origin to * or https://xxxxx0f67xxxxxe7963c04cxxxxx23bf.vfs.cloud9.us-east-1.amazonaws.com