This is a complicated scenario (one that would probably benefit from Professional Services Auth0 Professional Services)
Do not play fast and loose with access tokens: Token Storage
Instead, you want to use Auth Code + PKCE and rely on the auth0 session. You are already redirecting to your extension hosting page for auth. Your apps should use silent auth via redirecting to get their own access tokens as needed.
The Auth0 session is a cookie in your Auth0 tenant domain, so it IS available to all your different web pages.
I haven’t secured an extension before, but it is a public, not confidential, client so it requires Auth Code + PKCE.
John