By the way, the way that I’ve overcome the problem was to rollout a reverse proxy (Traefik deployed as a pod, not an ingress) inside Kubernetes with a configuration for the external service.
Then I applied a Jwt policy using the reverse proxy svc as a target and not the Istio Ingress gateway.
This worked and I have verified that both Cors and Jwt work as expected together.