Auth flow for SPA + backend (different subdomains, same root domain)

We have a gateway express app, and a react SPA, served from different subdomains.
From a pure security standpoint, my understanding is that since my backend and spa can share cookies, I should go with the cookie based approach for authentication. (as opposed to using authorization flow with pkce on client side and storing the tokens in memory)

Is my understanding correct? How do I go about implementing authorization code flow from the backend (which is on a different subdomain)?