Bug in the "allowMethods" of the CORS preflight settings of HttpApi

These are my settings in the AWS CDK:

    const api = new HttpApi(this, "bundled-api", {
      corsPreflight: {
        allowCredentials: true,
        allowHeaders: [
          "authorization",
          "mama-trace-id",
          "content-type",
          "test-header",
        ],
        allowMethods: [
          CorsHttpMethod.GET,
          CorsHttpMethod.POST,
          CorsHttpMethod.PUT,
          CorsHttpMethod.PATCH,
          CorsHttpMethod.OPTIONS,
          CorsHttpMethod.HEAD,
        ],
        allowOrigins: domainList,
      },
      disableExecuteApiEndpoint: true,
      defaultDomainMapping: {
        domainName: this.domainName,
      },
      defaultAuthorizer: lambdaAuthorizer,
    });

The console shows this:

But this is my preflight response:

As one can see, the Access-Control-Allow-Methods is set to *, even tough the console says so differently. Is this a bug or am I doing something wrong? I have disabled cache in my browser and I have recently added "test-header" to the allowed headers and it shows up. So this cannot be a caching issue.

Additional Information: I am using a HttpAlbIntegration with:

    const mapToRoot = new ParameterMapping().overwritePath({
      value: "/$request.path.proxy",
    });