Be aware that by reflecting the "origin" in the Access-Control-Allow-Origin and using Access-Control-Allow-Credentials, you are essentially allowing third party applications visited by your users to make these requests and reading the results. If said results are confidential, this is a concern.
This is not exactly what Fortify is really warning you about, but an issue to consider none the less.
Please refer to
What is CORS (cross-origin resource sharing)? Tutorial & Examples[
^] , under "Server-generated ACAO header from client-specified Origin header"