I will share my solution. Although I have rails on the server, and react is only on the face. But nevertheless, suddenly it will be useful.
During authorization, the server generates:
- access token
- cookie
- refresh token
which then race between the client and the server.
Refresh token may be missing. Generally speaking, it is only needed to update the access token, and the client adds it to the request only when the access token expires. In this case, the server generates a new access and refresh token.
Cookies are given with the HTTP only mark, that is, the client cannot read them in any way. Cookies are needed only to check the validity of the access token, that is, there are no sessions on them (in general, the application is completely stateless).
The client stores both tokens (access and refresh) in local storage, from where it retrieves them for each request to the server.
Any request from a client containing a valid access token is considered authorized only if it contains cookies corresponding to the token (not matching, but corresponding, that is, encoded according to some algorithm with the access token as a base). Well, if there is a refresh token, then we also look to see if it fits our access token.
Such a scheme, in combination with HTTPS, protects well from XSS or CSRF vulnerabilities (disclaimer: but not from both at once).
Some theory why this works can be read here: www.redotheweb.com/2015/11/09/api-security.html

Only SSL certificates and icons on the server will protect you from MitM.
Where to store? Well, in general, this is not so important, but I would store it in LocalStorage. Xs why, just the left heel says.
Although if yours is not exactly REST, then you can store the token in cookies and send it "according to the classics" (in headers).