Losing Session during external oauth callback

I have a hybrid authentication website that uses the Auth0 Hybrid Flow which sends both an ID token and Access Token in the same response. As this could be too large and too sensitive to be seen in a GET request, their process creates a javascript-submitted hidden form with all of these credentials that get POSTed back to our Laravel server. Here's their docs on Hybrid Flow: https://auth0.com/docs/get-started/authentication-and-authorization-flow/hybrid-flow/call-api-hybrid-flow

They have a state and a nonce field, both of which persist through the authentication/authorization process and could in theory hold a csrf token to allow incoming request to join the session. However, when the POST returns to my site, no cookies are present in the request and the old session is abandoned before any csrf token validation may occur.

My questions are these:

• How do I retain the same session through this POST-back auth process?
• Is this a cookie/browser limit that I cannot work around?

At this point, I just add the callback endpoint to the $except array in VerifyCsrfToken middleware and it works but only by creating a new session with each authentication.