The issue comes from the fact that you’re making cross origin requests, not with where the JavaScript file is hosted. As long as the request being made to the HubSpot APIs (api.hubapi.com) is coming from a server, not the client, you should be fine.
If my JavaScript file is on an external server but being called inside the Hubspot platform should it work? Or should I build my entire platform off to use the API?
At this time, HubSpot APIs do not support support cross-origin (CORS) AJAX requests. Making the request client-side using JavaScript would expose any authentication you’re using for the request. For this reason, I’ve deleted the screenshot you attached (since your hapikey was visible). You might want to consider deactivating that hapikey and generating a new one since it was visible on the forum for a while.
In order to use JavaScript/AJAX, you would need to make the request (excluding any authentication) to an external server that could then add the needed authentication and make requests to HubSpot’s APIs server-side.