I managed to solved this by hosting them on same domain as api.domain.com for backend and fe.domain.com for frontend. Also under defaultCookieAttributes, set samesite to lax, secure true and partitioned true.