django-cors-headers has a signal that allows you to decide whether or not to allow the request to pass. The docs show exactly your use case.

Note that CORS_ORIGIN_WHITELIST is also checked by the cors middleware (the signal response doesn't replace the white list), so you can have both: a static whitelist + a dynamic whitelist that depends on the request. You don't need to check the static whitelist in your signal handler.
                                                                        
                                                                        https://github.com/adamchainz/django-cors-headers