Hi Tom,
I am able to get this issue in sample project with your shared VAST detail.
But could you share any production VAST URL with us for further investigation?
Because shared VAST looks like having some issue related to wildcard '*' or malformed URL.
While testing this in VSI, i can see this below error in console.
Error: "Access to fetch at '
https://theoplaye.............image.xml' from origin '
https://imasdk.googleapis.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'."