An interesting observation. Maybe smart people talk about this when stateless. Like the first contact with the server and the token is required, saving the cookie for the second domain too. Type the first one converts the login and password into a token, and the second one, receiving the token not from the cookie but from the header, creates a cookie for another domain.
Another may be some kind of local storage, but I have never seen articles that directly praise the local storage.
You can also try to make a session server on some kind of radish. And there to shove and not in the cookie. But the campaign still needs to put the session identifier somewhere, so no, nonsense.
Probably it is necessary to do two requests. Authenticate one to an outserver, and upon return, log in to another server. Cook on the first type server is not needed. The task is to stupidly send the response of the authorizer to the second server and make a cookie there already ...

Or can they still be done on the same domain? Even if these are different services, configure nginx so that it sends requests for domain.com/auth to the authorization server, and the rest to another.
This will solve the problem with the availability of cookies, and access from the client will not appear.