(I'm resurrecting this answer because I would like to share the workaround I created to solve this issue)
If you don't have access to the website hosting the web page you want to serve within the <iframe>
element, you can circumvent the X-Frame-Options
SAMEORIGIN restrictions by using a CORS-enabled reverse proxy that could request the web page(s) from the web server (upstream) and serve them to the end-user.
Here's a visual diagram of the concept:
Since I was unhappy with the CORS proxies I found, I ended up creating one myself, which I called CORSflare: it has been designed to run in a Cloudflare Worker (serverless computing), therefore it's a 100% free workaround - as long as you don't need it to accept more than 100.000 request per day.
You can find the proxy source code on GitHub; the full documentation, including the installation instruction, can be found in this post of my blog.