To expand on that, in case someone is interested:

The feature that was called is usually bundled in with cors, even if it strictly speaking isn't.

Allowed origins (what was meant) just validates the Origin header to make sure the API is called from a specific domain, and declines the request if not in the list.

The only way around that is not to send the unsubscribe request via the browser or proxy through a server, because the browser will always append the origin header according to the domain the user is on. Which if configured correctly and not proxied, would end in a http forbidden.

Whereas CORS would not even send the request I believe (but haven't verified), because thats essentially a browser feature, not server.