I think the simplest solution would be to add a fetch method to Joplin's plugin API (e.g. something similar to this draft implementation).
Background: Plugin architecture on mobile
On mobile, plugins run within iframes inside a background WebView:
On web, the background WebView is also an iframe. Part of the goal of this design was to reduce memory usage — if I recall correctly, having one WebView per plugin led to higher memory usage than a single WebView with multiple plugin iframes.
As a result, CORS restrictions could be a result of restrictions on the parent WebView, or restrictions on the iframes within the WebView.
React Native WebView CORS
There are several stale closed issues in the React Native WebView repository related to CORS restrictions: Intercept response headers to bypass CORs · Issue #1781 · react-native-webview/react-native-webview · GitHub, Any hack/option to bypass CORS? · Issue #2155 · react-native-webview/react-native-webview · GitHub, Allow CORS · Issue #570 · react-native-webview/react-native-webview · GitHub
Based on this, I suspect that the CORS issue (at least on iOS/Android) is a limitation of react-native-webview.