How do hackers trick frontend validation?

I’ve always read: Put validations in the backend. Frontend validations are for UX, not security. This is because bad actors can trick frontend validation. But I’m having a hard time wrapping my head around how a bad actor could trick it.

I never thought about it much, I just thought this meant someone could bypass the validations by making a request on something like Postman. But then I learned that with a same origin policy that’s not possible. So how are these bad actors making same origin requests?

The only other idea I can think of is bad actors can go into the code (ex: on DevTools) and edit the request there and make an edited request from the same site. Is that what they do?

What does tricking frontend validations look like in practice? How are they making a request that gets around CORs?