I would take a look at how you’re handling the jwt and lic query strings. The initial request to your app (the one that is iframed and generates all of the html) should be where you do the license check. Any resources coming off that - should not (or rather - you shouldn’t be relying on the referring being sent on).
It’s not just Safari that will block referrer headers but also enterprise level firewalls.