As you may know, API GW follows CORS specifications which are defined by Mozilla. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

Due to CORS specification, the server cannot respond with multiple domains in a single Access-Control-Allow-Origin header unfortunately.

For REST API to have multiple domains in CORS, a work around could be to create an API with a Lambda proxy integration. So that we can assign the CORS domains in the Lambda function doing  the CORS validation.

Alternatively, you may consider to use HTTP API, which is possible to add all the origins in string format in CORS.