Access-Control-Allow-Methods doesn't seem to be working
CORS does not prevent a simple (or even preflighted) POST request based on its method.
The Access-Control-Allow-Methods will only be effective for requests that could not have been made with a simple cross-origin form, for instance.
That means: GET and POST can skip the Access-Control-Allow-Methods as described in the spec:
Simple cross-origin requests generated outside this specification (such as cross-origin form submissions using GET or POST or cross-origin GET requests resulting from script elements) typically include user credentials, so resources conforming to this specification must always be prepared to expect simple cross-origin requests with credentials.
Because of this, resources for which simple requests have significance other than retrieval must protect themselves from Cross-Site Request Forgery (CSRF) by requiring the inclusion of an unguessable token in the explicitly provided content of the request.
(emphasis mine)