One example I recently ran into: the integration of our new credit card payment processor failed after deploying to prod because the test environment integrated the payment processor's test environment since naturally you don't want to pay real money every time you test that functionality.
But in their test environment they only ever loaded pages from their domain into the iframe, whereas in prod it was pages from the card-iasuing banks. And our CSP was not written to accommodate that, because you want that too be restrictive and not use wildcards.
When I worked for a bookmaker the test accounts were running on the real environment, so we gambled with real money during development. I liked it very much, because any amount of faked data wouldn't hit half the issues seen in the real world. Sadly we couldn't withdraw from those accounts.
But in their test environment they only ever loaded pages from their domain into the iframe, whereas in prod it was pages from the card-iasuing banks. And our CSP was not written to accommodate that, because you want that too be restrictive and not use wildcards.