Lumen with JWT, localStorage, Cookie and CSRF

So I've read on different sites / articles that storing JWT in localStorage can be a security issue in the event malicious JS will be executed, either by XSS, NPM scripts or browser extension.

Back to using secure HTTP cookies again for my webbased users. Do I just store the JWT in the cookie and start with CSRF tokens again or is there another way?

My native mobile app users will have no problem and will still use JWT Bearer token so it's strictly a browser based issue.

Hope someone can shine some light on the issue and point me in the right direction.

Kind regards,

Rogier