I might be mistaken, but my current understanding is that JWT and CSRF tokens solve two different problems.

JWT in an HttpOnly cookie helps protect against XSS token theft, since JavaScript can’t read it.

But the browser will still send that cookie automatically, which means JWT alone doesn’t stop CSRF.
A malicious site can trigger a request that includes the JWT, but it can’t provide the CSRF header, because it cannot read the token (Same-Origin Policy).

So the server can detect forged requests by checking whether the CSRF header matches the token stored in the cookie.

Because the setup uses SameSite=None (cross-domain), CSRF protection becomes important — otherwise every cross-site request would automatically include the JWT.

That’s just how I currently see it, but I’m very open to correction if there’s a better pattern or perspective.