1. For two-factor authorization via SMS - a separate NORMAL! phone without OS (without android, ios, etc.).
2. Do not use public wi-fi networks (hotel, transport, cafes, etc.).
3. Do not use third-party browsers.
4. Do not give access to the client device to third parties.
5. Do not install any third party certificates.
6. Always check: which of the third-party applications / sites has access (and which one!) To perform various operations on the social network on behalf of your account without your participation (but from your permission, issued by you to the service / site earlier, when using any of them and at their request for this type of operation).

As far as I understand, my cookies were stolen, and they authorized me through them?

No.

If these are cookies, for example, I change the password and end all sessions from my account, will the attacker be able to log in again like this?

No.

Can I somehow reset these cookies so that the bandit does not get access to something else?

Clear the cache.

How to protect yourself from this?)

Do not give the password to your woman, who, apparently, logged in.
Well, do not log in to the left sites with authorization through VK.

Most likely, an attacker either had access to your phone, or you registered on suspicious sites, or you accessed the network from an unknown WiFi source (for example, free hotspots).
From the definition:

A cookie is a small piece of data sent by a web server and stored on the user's computer. The web client sends this piece of data to the web server as part of an HTTP request every time it tries to open a page of the corresponding site.

From this we understand that by clearing cookies, the "bandit" will not be able to get your data until you again find yourself vulnerable.
Protection?
Oh-oh, there are so many methods to protect yourself that you would rather sacrifice something than gain something.
I mean, for example, install a VPN –> Yes, your ip will be under some kind of "protection", but your connection speed will be greatly reduced. Can buy. But that's how you spend money.
You can use browsers that do not store any information about you (that is, the same cookies, personal data, etc.), but how can we be sure of this?
Understand - there is no "perfect protection".
You probably think that hackers don't need you, gos. structures?
Then why were you hacked? Is it not then to use?
My advice: just be accountable for your actions.
If you go to a suspicious site, we use fake data, a different password.
If you are connected to an access point, use a VPN or other options (server proxy).

Even stealing "cookies" or just simply a real clean public token will not help anyone to hack or log in through your account. Because the token is issued in conjunction with the ip address. The same token cannot be used for two sessions from different ip addresses.