Okey, I finally figured out a way. For anyone in the future:
The problem was that basicauth protected the pre-flight OPTIONS request made by the browser (Postman doesn’t make this OPTIONS request), but it couldn’t send the Authorization header before the servers CORS policy had responded. In other words the CORS policy was protected behind basicauth but couldn’t be authorized before the pre-flight response returned HTTP OK status.
What I did then was that I made basicauth only protect everything except OPTIONS requests. Here is my Caddyfile which now completely seems to work. Feel free to let me know if there’s something wrong with this approach 
api.velosity.co
@options {
method OPTIONS
}
@other {
not method OPTIONS
}
handle @options {
respond 204
header Access-Control-Allow-Headers Authorization
header Access-Control-Allow-Origin *
}
basicauth @other {
username <hashed-password>
}
reverse_proxy <server-ip-address>:2019 {
header_down Access-Control-Allow-Headers *
header_down Access-Control-Allow-Origin *
header_up Origin <secret-origin-token>
}