That being said, for new applications, the developers have to make this decision. Which one is more secure? It is often said that cookies are safer against XSS (with the HttpOnly flag set), but using cookies makes your app more vulnerable to CSRF. Tokens within JS, on the other hand, are easier to exfiltrate through XSS but CSRF therefore becomes much less of a problem.
But why not just combine the two approaches to get the best of both worlds? The web application can split the auth_token into two by doing:
r := random_bytes() share1 := auth_token XOR r share2 := r
share1 can then be set as a cookie and share2 as a JS variable. The web frontend then needs to always provide both shares to the backend to authorize a request.
Instead of XOR, other cryptographic operations are possible, but XOR is especially performant and should be easily available in every programming environment.