I am trying to make a url private in service app. When I am hitting it through react application, it shows cors error 401

I am passing headers
VtexIdclientAutCookie( hardcoded - got from running ‘vtex local token’ in terminal) and Content-type

The policies enabled at react are

 "policies": [
      "name": "outbound-access",
      "attrs": {
        "host": "*",
        "path": "*"

The policies enabled at backend are

`"routes": {
    "status": {
      "path": "/_v/status/:code",
      "public": false,
      "settingsType": "workspace",
      "policies": [{
        "effect": "allow",
        "actions": ["get"],
        "access": "authorized",
        "principals": [

Help me out!