— You can store a hashed CSRF token in localstorage and keep the unhashed one in the JWT.
— Set cookie, check cookie
— The cookie is sent automatically, so by itself is a huge CSRF risk. But, since it is HTTPOnly, scripts cant see it! The hashed localstorage CSRF token is only available to scripts on the domain, so as long as you prevent XSS, nothing would be able to compromise the tokens.