Cookies work great for SPAs and I highly recommend the path for first party auth. Setting up CSRF tokens on the frontend is a lot easier than setting up OIDC.
That's correct. And if you have configured SameSite corrrectly and your GET request handlers are locked down, you don't event need CSRF tokens. Unfortunately Microsoft ASP.NET Core security engineers' careers seem to depend on have differing opinions on how to secure SPAs and APIs.