This relates to the upload files API endpoint (https://developer.box.com/reference/post-files-content/) but likely applies to other endpoints as well.

When making a call to the above endpoint via CORS, you provide a Bearer token to the request. This token is used to identify the box account to make the request on behalf of, which is then used to return an Access-Control-Allow-Origins header configured to that box account's CORS whitelisted domains.

In the case of a successful request to the above endpoint, the OPTIONS preflight request returns the Access-Control-Allow-Origin header with the request origin set. The actual POST request then returns a 201 with Access-Control-Allow-Origin: *.

In the case of a domain mismatch, I assume the Access-Control-Allow-Origin header would not be present on the POST request, causing a CORS failure.
 
However, if the token has expired or is otherwise invalid, the API cannot identify which Box account to run as. The OPTIONS request still returns the requesting origin as the Access-Control-Allow-Origin header, however, the POST request returns a 401 status but no Access-Control-Allow-Origin header.

I assume the above is because the valid token is used to identify whether the CORS request is from a valid domain. The consequence of this is that browser CORS protection kicks in, and the resulting 401 error cannot be read, even though it originated from a valid domain.

Two proposed solutions:
1. Allow the requestor to specify the account id (or some other way of identifying the box account) in the request. The app can then use this id instead of the token to determine the appropriate CORS domains. This will, of course, allow unauthenticated requests to trigger a CORS check for a particular account. However, this is standard for CORS. The CORS layer is designed to trigger before other parts of the request.
2. Always return the Access-Control-Allow-Origin header for 401 requests, either as "*" or as the requestor origin. This of course basically exempts 401 requests from CORS protection, so should likely be only enabled as an optional setting in your box account.