I've explored this a bit further, and I'm pretty confident this is the way to go for Threat Dragon Web.
Some of the other benefits I've realized after exploring the implementation a bit more:

• JWTs can be used as an IDP agnostic way of providing authentication for end users
• Fewer dependencies: (passport, passport-github, connect-azuretables, csurf, express-session have all been removed on the vue-migration branch)
• Remove the need for external storage, reducing the setup overhead for production deployments
• Mitigates CSRF
• Allows for future integrations with the server via REST API, maybe even eventually granting granular control over API integrations via JWT scopes.
• Not all clients will support cookies, but almost all clients can support JWT (opinion based on experience, no evidence to support this statement 😅 )
• Since everything on the server is returning JSON, a standardized response wrapper was created that will catch exceptions and return generic messages by default (you can send specific errors if you configure it). This resolves some of the error messages we have seen returned from Threat Dragon in the past

The implementation uses a refresh token flow. The timeouts and some other options will likely wind up being configurable with some sane defaults (5 minutes for access token, 6 hours for refresh). When the JWT expires, the front-end will automatically attempt to get a new token using the refresh token and retry the original request. As far as user experience is concerned, this should be a seamless transition.

I'm still very much open to differing opinions, but wanted to share what I've learned so far.