Where to save user authentication token: cookies vs local storage

Here's a very good comparison:
https://stackoverflow.com/a/35347022/171950

The important part in the link above is that local storage approach is CSRF protected, but exposed to XSS.

see also:
https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.2