If a user authenticates using an App Access Token, add CORS headers
With the helix oAuth requirements
It is often a problem for the less experienced developer to get started, as they don't understand certain rules and limitations around the API.
The less experienced developer may then choose to generate and leak their client secret, or app access tokens on their "front end only" websites in error.
So I propose that if the token is identified as App Access/Client Credentials, Twitch adds "CORS Headers" to block the request
Consider also CORS headers to the token fetching endpoints for App Access generation as well?