The standard browser tools apply such as Content Security Policy (CSP) for connecting to different origins from the browser. In particular, the connect-src directive controls whether certain APIs such as fetch are allowed to connect to an origin.
By default, OSDK applications deployed on Foundry are served with a CSP that only allows for loading resources from the subdomain and the main Foundry domain itself. This can be configured specifically for the subdomain for the application (docs).
Note that this is different from configuring the CSP for Foundry itself which may be used for example to allow embedding resources into Foundry (docs).
If you want to fetch external data in your application, and do not want to change the CSP, you can use webhooks to connect to external sources, and call them from your application instead. This way your application is keeping all calls within the foundry domain.