In terms of security, both the token and the cookie are equal. By security, I mean the difficulty of hacking.
There are several main differences:
1. Cookies are stored on the server and on the client, the token is stored on the client
2. Cookies are tied to the domain that authorized, but the token is not - this gives great flexibility, and it becomes a necessity when developing distributed systems.
3. The token can be used selectively on requests, and cookies on all requests. In the case of cookies, this can lead to XSRF attacks as after authorization, all requests will be considered authorized. For example, you logged in to the site site.com, I sent you an email with the following tag:

<img src="https://site.com/money?money=200&to=me />

. As a result, 200 units will be transferred to me, because after authorization with cookies, all requests are considered authorized and the request will https://site.com/money?money=200&to=mework. There are ways to protect yourself from such attacks.
In the last couple of years, tokens have become more commonly used, for three reasons:
1. They are stateless, which is more in line with SPA (angular, vue, react) - one of the moments of SPA is that the state of the client is on the client.
2. Flexibility, because tokens are not tied to one domain
3. They have gained popularity))
Over the past two years, I personally have not come across projects with authorization cookies, the .net + angular/react stack
https://dev.to/spukas/authentication-cookies-vs- to...
https://stackoverflow.com/questions/17000835/token...
https://www.linkedin.com/pulse/cookie-vs-token-aut...