You should use the received access token you get in the callback to make API calls (not rely on a cookie). That’s what the access token is explicitly for.
The usual way is that you use that you register your API in the Auth0 Dashboard under APIs. Then use the API identifier from there as the audience in the authorization request you make from your Java app.
You can refer to this authorization Quickstart to get an idea.
https://auth0.com/docs/quickstart/backend/java-spring-security/01-authorization
A general description of the Authorization Code Grant flow, which might also be helpful, is here:
https://auth0.com/docs/api-auth/tutorials/authorization-code-grant#2-exchange-the-authorization-code-for-an-access-token