Why can't the OAuth token API be called from a front end application?

When authorising a front end app via OAuth2, the user is first taken to a zoom.us url where they are prompted for a password and returned with a OAuth2 refresh code. So far so good, but then you need to request the access token with the refresh code. This gives a CORS error everytime, after some reading I discover that this call HAS to be done from the server for it to work. BUT WHY THO?

I could take the refresh code, pass it back to the server, get the server to make the token request and then pass the token back to the front end. Or (if this rule didn’t exist), it could be done with a single js fetch request.

What is the logic here? I’m already authenticated so I can’t see it being a security issue. If you were worried about armies of botnets making API requests just put in rate limiters. Maybe it’s intentionally a pain to use so we have to use the SDK?

If anyone can shed some light on this or let me know of a way round it I’d be very grateful.