What are your security settings for the App, and for the BO that your are trying to access?
Also what are your security settings for the instance overall in terms of allowed origins for calling your REST services:
1 person found this helpful
In the allowed origins you are suppose to have the name of the server that your code that will call the REST service will run on.
When testing from postman you should be able to add a header Origin parameter that emulate that server.
After add the header Origin parameter, it's work well.