If you can't get CORS working on cloudflare tunnels, the solution is:

Zero trust -> rules -> transform -> uri contains nostr.json -> set response header -> set static ->

Access-Control-Allow-Origin: *