Reconfiguring CORS Policy in ASP.NET Core at Runtime

ASP.NET Core comes with ready to use Cross-Origin Resource Sharing support in the form of Microsoft.AspNetCore.Cors package. The usage is very straightforward, you just need to register the services, configure the policy and enable CORS either with middleware (for a whole pipeline or a specific branch), filter (globally for MVC) or attribute (at the MVC controller/action level). This is all nicely described in the documentation. But what if there is a need to reconfigure the policy at runtime?
Let’s assume that there is an application which contains two APIs. One is considered “private" so only other applications from the same suite can use it, while the second is "public" and a client administrator should be able to configure it so it can be used with any 3rd party application.