You’re receiving that error because Chrome (as well as other modern browsers) has a same-origin policy restriction that prevents scripts running in the browser from accessing resources in other domain - at the same time though our authorization server does not implement the CORS headers as it may reduce the security of data flow here.
At this step (4. Your App requests an access_token) your server should redirect the browser to our /identity/OAuth/token endpoint and manage the tokens exchange on the backend exclusively rather than make an AJAX/XHR request.
Briefly speaking, in the Authorization Code Grant flow the requests should be made from your server to our server and there’s no need for CORS. Note that the only requests made in the user’s browser are the redirects, which aren’t affected by CORS.