Presently I have these .htaccess rules working perfectly on my Apache server:

<IfModule mod_headers.c>
    SetEnvIf Origin "https://(www\.)?(domain.com|beta.domain.com|domain.loc)$" AccessControlAllowOrigin=$0
    Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, X-CSRF-Token, X-XSRF-TOKEN"
    Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
    Header set Access-Control-Allow-Credentials true
</IfModule>

<IfModule mod_rewrite.c>
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>

Recent decision to switch to nginx requires us to implement the same. I'm still getting a hang of its internals and really need help converting this into its nginx config counterpart.

EDIT: What I tried so far:

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;

    server_name api.mydomain.loc;

    root /var/www/mydomain/api/public;

    index index.html index.htm index.php;

    location / {
        if ($http_origin ~* https://(www\.)?(mydomain.loc)) {
            add_header Access-Control-Allow-Origin $http_origin;
            add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, X-CSRF-Token, X-XSRF-TOKEN";
            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
            add_header Access-Control-Allow-Credentials true;
        }

        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Max-Age' 1728000;
            add_header 'Content-Type' 'text/plain charset=UTF-8';
            add_header 'Content-Length' 0;
            return 204;
        }

        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
              try_files $uri =404;
              fastcgi_split_path_info ^(.+\.php)(/.+)$;
              fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
              fastcgi_index index.php;
              fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
              include fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }
}

Help would be greatly appreciated.

The simplest nginx equivalent of the Apache config in the question would be, just use add_header and wrap it all in anif block that does a regex match against $http_origin:

location / {   
  if ($http_origin ~* https://(www\.)?(domain.com|beta.domain.com|domain.loc)) {
    add_header Access-Control-Allow-Origin $http_origin;
    add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, X-CSRF-Token, X-XSRF-TOKEN";
    add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
    add_header Access-Control-Allow-Credentials true
  }
  # use $http_authorization to get the value of the Authorization request header
}

The extra RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] stuff that you need to do with Apache isn’t necessary with nginx; instead just use $http_authorization.

Note that variables in nginx that have names prefixed with $http_ are special variables:

$http_name
      arbitrary request header field; the last part of a variable name is the field name
      converted to lower case with dashes replaced by underscores

Thus $http_origin gives you the value of the Origin request header, $http_authorization gives you the value of the Authorization request header, etc.