Request intermittently not including 'access-control-allow-origin' header in response

I am running a HTTP lambda through serverless - I have set up cors using serverless.

For the majority of users - there’s no issue.

For a very small percentage of users - the request following the OPTIONS call is not returning access-control-allow-origin.

It has a successful preflight, that returns access-control-allow-origin - but the POST request following doesn’t return access-control-allow-origin - causing a CORS error.

For the users it doesn’t work for - no matter if they change computer or network - it still happens - and it’s always the same users.

What can affect returning an access-control-allow-origin? I’ve looked through the HAR files and for the 98% of users it works for and the 2% it doesn’t - the requests and responses look the same apart from access-control-allow-origin missing in the POST request after OPTIONS

Happy to send over the HAR files if that would help