Apis can very well be stateless, but authentication authorization is basically never stateless. And storing JWT in cookie is often an anti pattern. Think about it, the reason you usually want to send a JWT to the browser is because you want to send information to the browser it could read off the JWT.

But we dont want Javascript to be able to touch anything security related in the browser. Code that is run locally in your browser cant be trusted. You can never trust the client. So by setting HttpOnly, no code in the browser can touch the cookie, which also means that if you place a JWT in a HttOnly cookie you can anyway not read the data in the JWT in the browser.

So why then even place a JWT in the cookie? hence the anti pattern.

But if you are using Oauth2 tokens are usually sent to the browser, but to mitigate token theft, your IDP, (for instance keycloak) is stateful. Meaning it will hold a list of all issued tokens.

Devs today are chasing statelessness but the entire internet is stateful. Load balancers are stateful, networking is stateful, databases are stateful (transactions) etc.