There’s a number of things that could be going wrong here (CORS gets pretty complicated and hard to debug) but a few easy things to check would be whether your env vars include http:// as the origin needs to be a fully qualified domain, and just having localhost:port won’t be considered valid.
Another thing to check would be to go into the network tab of your browser when you make the request and click into the request sent to http://localhost:8911 and check the ‘headers’ tab to see what the request and response headers are - you’re looking for the Access-Control-Allow-Origin header, or the Referrer Policy headers. Check the graphql yoga docs for more info on setting up your server, and this auth0 tutorial for more info about cors generally.
That being said, if the intent is to have public/open access to certain areas of your api, an easier and safer approach might be to use redwood’s serverless functions instead of trying to give public access to your graphql instance. This approach makes it easier (you don’t have to mess with CORS - redwood’s functions are open by default) as well as making your graphql sercurity policies easier to handle in the future, as it can be an easy enough slip up and forget an @requireAuth decorator in a spot that you should have one, and then you have a potential data breach.