I am assuming that you are using the self-hosted sign-in widget (aka the embed widget). This widget is running in the browser (not the Django app) and requires CORS to talk to the authentication API at your Okta tenant.
Go to “Security → API”, click on the “Trusted Origins” tab an make sure you have CORS enabled for your URL:
This is not a problem on the Django side, Okta is not adding the Access-Control-Allow-Origin header for the API call the widget is making.
NOTE: self-hosting the widget will lead to complications where SSO does not work with other applications that are also trusting your Okta tenant. The user is not visiting Okta and the Okta session cookie is not set. It is much better to use Okta-hosted login, and there are no security issues with that. In fact, there are other security issues with the self-hosted widget, among them that the user password is now available to the application if it scrounges for it.