CORS Handling when 401 from Google API Gateway

Question

I've implement security in my API Gateway. I want to add Access-Control-Allow-Origin response header when the token provided from client is invalid (401). Please help me how to solve it. I have tried many ways but I still can't solve this problem. Thank you

Fyi i'm using Cloud Function for my backend

swagger: '2.0'
info:
  title: mishirin-reward-api
  description: Mishirin Reward API
  version: 2.0.0
schemes:
  - https
produces:
  - application/json
paths:
  /generateQrCodeUser:
    post:
      summary: Generate QR Code User
      consumes:
        - application/json
      operationId: generateQrCodeUser
      x-google-backend:
        address: cloudFunctionAddress
      responses:
        '200':
          description: Successful response
          schema:
            type: string
        '401':
          description: Unauthorized
          headers:
            Access-Control-Allow-Origin:
              type: string
              description: Access Control Allow Origin
              default: '*'
        '429':
          description: Too Many Request
          headers:
            Access-Control-Allow-Origin:
              type: string
              description: Access Control Allow Origin
              default: '*'
      x-google-cors:
        - maxAgeSeconds: 3600
          origin: '*'
          headers:
            - Access-Control-Allow-Origin
            - Content-Type
          responseHeader:
            - Access-Control-Allow-Origin
            - Content-Type
          exposeHeaders:
            - Access-Control-Allow-Origin
      security:
        - firebase: []
    options:
      summary: CORS Generate QR Code User
      consumes:
        - application/json
      operationId: CORSOPTIONSgenerateQrCodeUser
      x-google-backend:
        address: cloudFunctionAddress
      responses:
        '200':
          description: Successful response
          schema:
            type: string
        '401':
          description: Unauthorized
          headers:
            Access-Control-Allow-Origin:
              type: string
              description: Access Control Allow Origin
              default: '*'
        '429':
          description: Too Many Request
          headers:
            Access-Control-Allow-Origin:
              type: string
              description: Access Control Allow Origin
              default: '*'
      x-google-cors:
        - maxAgeSeconds: 3600
          origin: '*'
          headers:
            - Access-Control-Allow-Origin
            - Content-Type
          responseHeader:
            - Access-Control-Allow-Origin
            - Content-Type
          exposeHeaders:
            - Access-Control-Allow-Origin
      security:
        - firebase: []
securityDefinitions:
  firebase:
    authorizationUrl: ''
    flow: implicit
    type: oauth2
    x-google-issuer: '...'
    x-google-jwks_uri: '...'
    x-google-audiences: '...'
x-google-cors:
  - maxAgeSeconds: 3600
    origin: '*'
    headers:
      - Access-Control-Allow-Origin
      - Content-Type
    responseHeader:
      - Access-Control-Allow-Origin
      - Content-Type
    exposeHeaders:
      - Access-Control-Allow-Origin