So… the problem is actually not specific to Jira. This is just how XmlHttpRequest (and in extend maybe the internet) works. This is a basic security issue which all browsers have implemented, and it helps keep the internet safe. You can only make client-side requests to the same domain because this is the only way the browser can determine that the resources is loaded from a connection that is trusted by the end-user (because they decided to load the application from that domain).
It is also the end-user that decides to install your P2 add-on, and as such, accept that it will proxy content from a 3rd party service (you should be clear about that in your add-on description).
For cloud add-ons, if you want to get content from a 3rd party service into your integration, you can use “serverless” products like AWS Lamba or GCP Cloud Functions to implement a proxy server using many popular coding languages. This should not be a huge effort nor should it be expensive (as you will only pay-per-use).