However, the response headers are missing the critical access-control-allow-origin header, which I need for CORS compliance, when I run the same service in Render:
Did some sleuthing on this: not sure if this is the issue but seemingly someone else ran into this with Martin before. (Martin is a Rust based tileserver that uses Actix)
This is a theory (and I have no way to test this) but given the fix in the Github issue seems to be including an Nginx rule to forward the the protocol, it seems plausible that Render terminating HTTPS connections to be HTTP within its network could be an issue.
But that seems hella weird to me. But so is Render mangling with the outgoing response headers from Martin.