So in the end I just needed a php file on my server with the 'allow control header' AND the actual request in the same php file.
-I put a php file which included the header('Access-Control-Allow-Origin: *'); AND a REST request to the api in question. (So the main difference being that PHP makes the api request NOT C2)
-This php also spits out the result of the call with echo.
-I used c2 to call the php file using an axaj POST request
-C2 then receives the request data using LastData
All works a charm when uploaded to the server. Hoorah!
EDIT: I actually REMOVED Access-Control-Allow-Origin: from my PHP file and it all still worked, so presumably the apis that I'm trying to access already have this set at their end.