Turns out that API endpoint has accidentally become access protected somehow.
Because it works when including a session cookie, as follows:
curl 'https://communities.edgeryders.eu/multisite_account.json?{GET params as usual here}' -H 'Cookie: _t=bbeb……4a86'
(If that kind of command does not work like that for you, the API endpoint might now even be only accessible for admins. Didn’t test for that.)
With such a command, I don’t get the exact same error message when using curl, but I am served a document saying “You are being redirected”, with a link to the login page. Probably JavaScript recognizes from some response metadata that it’s an access protected page, and then tells you “Fetch API cannot load […] due to access control checks.” So this is not anymore about CORS.
We didn’t change the API endpoint, but we updated Discourse on the all sites except edgeryders.eu to the latest version a few days ago (and that broke other things already).
We’ll get the issue about this API endpoint fixed ASAP, within 1-2 days (now tracked as #241). Until then, you could add the cookie header equivalently to the curl command above to be able to work with this endpoint. Of course before live use, the issue has to be fixed as you’d not want to have an auth cookie of your own communities.edgeryders.eu login inside the software.
(In other news, I just refined the API manual sections about multisite_account.json and about multisite_account_api_key.json.)