S3/Cloudfront CORS working on some files only

I'm really struggling to get Cloudfront and S3 to add Access-Control-Allow-Origin: * to the headers of video files stored on S3 (for inline video on iPhones - seems to be working everywhere else however inline video is only working on iPhones from the same domain, so assume it's CORS related).

Only the first file in the bucket has the right headers

curl -I -H "Origin: https
://example.com" http://cdn.example.com/0000d723-5c73-4d71-953c-d7e29e70f17b.jpg
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 80962
Connection: keep-alive
Date: Thu, 02 Jun 2016 00:38:50 GMT
Access-Control-Allow-Origin: https://beek.co
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 3000
Access-Control-Allow-Credentials: true
x-amz-meta-md5-hash: 18692618d1f6865694f08fb2dcd12201
Last-Modified: Wed, 15 Feb 2012 03:08:14 GMT
ETag: "18692618d1f6865694f08fb2dcd12201"
Accept-Ranges: bytes
Server: AmazonS3
Vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method
Age: 63
X-Cache: Hit from cloudfront
Via: 1.1 284d225e590e6583c457dc0182ee6fe7.cloudfront.net (CloudFront)
X-Amz-Cf-Id: n9NmaT8pwHg5BZmZqoPAxUlGBiLR7BqD5rxodzjfpKi2mFthhGzGyw==

But all the others don't

curl -I -H "Origin: https
://beek.co" http://cdn.example.co/93bd51ac-5a8c-4c08-ac67-42ee5e596477.mp4
HTTP/1.1 200 OK
Content-Type: video/mp4
Content-Length: 44751245
Connection: keep-alive
Date: Thu, 02 Jun 2016 00:40:47 GMT
x-amz-meta-md5-hash: 6d64731504361705258f2b0f9023bd98
Last-Modified: Wed, 16 Mar 2016 20:29:25 GMT
ETag: "6d64731504361705258f2b0f9023bd98"
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Miss from cloudfront
Via: 1.1 4f2b51b0906eb4177f90fe010732e8a3.cloudfront.net (CloudFront)
X-Amz-Cf-Id: QhBT8ejONAUu5oxzvVXtzC0viSLxGRdBk0Rbq6yRdbxs9TTD7abawA==

Bucket is 'example-assets'

Bucket Policy is

{
    "Version": "2008-10-17",
    "Id": "http referer policy example",
    "Statement": [
        {
            "Sid": "readonly policy",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::example-assets/*"
        }
    ]
}

CORS configuration is

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>http://*</AllowedOrigin>
        <AllowedOrigin>https://*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>Authorization</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

Cloudfront distribution has 'origin' added to whitelist with settings as such. I've tried adding the other 2 as well and it doesn't seem to make any difference.

What am I missing!?