Overall this was great. One bit stood out as odd though:
> In such cases, our API is public, but we don’t want any website to send data to our analytics API. In fact, we are interested only in requests that originate from browsers that have our website rendered – that is all.
CORS doesn't seem like the right tool for this. Anyone can spam your analytics endpoints without a browser; do you gain anything meaningful by restricting the browser as well?
It's the right tool for preventing WEBSITES from using your endpoints - they might be able to take your JS, reverse engineer and run it, but you can mitigate how useful this is by preventing calls to CORS-protected resources. This does not protect your endpoints from attackers in general though, so to your point, it depends what they're trying to accomplish.
> In such cases, our API is public, but we don’t want any website to send data to our analytics API. In fact, we are interested only in requests that originate from browsers that have our website rendered – that is all.
CORS doesn't seem like the right tool for this. Anyone can spam your analytics endpoints without a browser; do you gain anything meaningful by restricting the browser as well?