I understand that both FE and BE can be run in the same container, placing one process in the background. This ways CORS issues are resolved and Identity Access Proxy is only called once when the app URL is visited.
Is it advisable to separate FE and BE into two separate containers? I think CORS could be resolved with headers, but IAP portal would be introduced twice? Once for each app?
There are many aspect to your question.
Do you use containers? So why do you use GAE and not Cloud Run?
With GAE, you have the chance to have only one platform, one domain name and therefore you won't have CORS issues or IAP issue. It's homogeneous
With Cloud Run it's different. Because the URL will be different, you will have CORS issue. The simple way to solve that is to expose your web application (FE + BE) behind a load balancer and therefore with your own domain name.
IAP is not a concern, you can activate IAP on Cloud Run and it will work smoothly
But, if you are doing that (use Cloud Run + Load Balancer), I strongly recommend an hybrid deployment: