I don’t know your whole scenario here, but if you are in control of this custom web app that is making the ERP REST Post calls, also make sure you also host the app on draper.com, thus avoiding CORS altogether.
You can’t use wildcard-
when passing credentials.
You can specify one domain though if that works in scenario.
See https://stackoverflow.com/questions/19743396/cors-cannot-use-wildcard-in-access-control-allow-origin-when-credentials-flag-i