Anywhere, but in encrypted form and with the secure and http-only flags.
So that if even all cookies are stolen (for example, through third-party extensions), they would be simply useless, pass the client's "fingerprint" at:
1. Authorization (only two-factor authentication: mail, sms, GA, etc.),
2. When change of ip-address
3. When changing user-agent
4. After the expiration of the statute of limitations
And be sure to do it all through encryption with your public "key" of the server (in addition to https!).

In principle, this applies not only to JWT, but also to any data that is critical not to be stolen.
Such data is best stored in a secure http-only cookie. With secure, I think it’s clear that such a cookie will be sent to the server only via https, which will reduce the likelihood of hijacking by eavesdropping on traffic. But with http-only, the reason is the same why you shouldn't use localStorage - not an http-only cookie is available from JS, from any JS loaded on the page.
What's bad about it? Are you sure about all the scripts connected to your page? And if a third-party server was hacked? But what if the user has a malicious extension that replaces certain scripts on all sites? It will collect such malware from localStorage tokens of your users, and then you will deal with them, why they were hacked.

+ to what they said. It is necessary to limit the lifetime of the token. And even if they are taken away, then there is a chance that they will not have time to use it. Such a token is usually called an access token. And he himself should not be able to extend in any way.

SessionStorage + HTTPS and TTL control on the server.
Maybe an overhead of course. But nothing better for the paranoid has yet been invented.

It seems better not to put tokens in cookies so that malicious javascript cannot use them.