I think the issue here is the 401 Unauthorized for /keepass/drowland.kdbx.
A CORS preflight request requires a 204 No Content response.
You need to ensure your client is authorized (i.e. via basic auth).
Alternately you could exclude OPTIONS requests from your basicauth directive… This might be a security concern depending on your threat model.
I’ve written a bit in the past about faking CORS preflight responses as well in case there’s something there that helps: V2: Imitate a correct OPTIONS request - #2 by Whitestrake