We were having a similar issue. Child apps with the auth0 SDK nested in iframes could not authenticate in Chrome Incognito or Safari.
We were able to fix the issue by creating a custom domain for each of our tenants. We’re not using refresh tokens.
Hopefully this could be helpful 
Cheers
Eoghan