Suppose a JWT is obtained from secure.example.com and later on it's used to access the API at api.example.com which has the key used to verify the signature of the JWT. The same JWT is also used used for api.prototype.com which also has the key used to verify the JWT signature, in addition to being setup to allow CORS requests from *.example.com.
Does this just work? In other words it does not matter what domain issues the JWT. The only thing that matters is that the server authenticating the JWT has the private key that decodes the signature.
A JWT is not linked to a domain. It could contain a reference to the issuer (iss claim), but it is not related in any way with CORS
An ajax CORS request to a target domain from a different origin domain is allowed by the browser if the target domain present some specific headers. Once it is authorized, you can send JWT or other content.