I don’t know enough of your stack or use case, but I think I’ve solved a similar problem before, and some ideas may be useful for you.
I have a Next.js app where I need the client-side to have a valid JWT to make calls to my backend API if there’s a Discourse session.
For this I use Discourse as my identity provider through DiscourseConnect.
In my case, I’m doing this with a single client-side fetch call with { credentials: "include" }, which only works because I have everything setup with a single domain and the fetch call transparently follows redirects.
My client fetches a custom /auth/token, which checks for the existence of _t (just to avoid a pointless redirect otherwise) and returns a redirect to a secured /session/sso_provider URL built following the docs in the linked topic, with nonce/sso/sig, and a return_sso_url pointing to a custom /auth/callback, which will extract the data sent by Discourse, build and return a JWT token my client can use from this moment on.
I believe your use case may be solved in a similar way.