Good article on securing SPA apps, We have taken a similar approach to secure the app from XXS and CSRF. Instead of JWT, we are using OAuth2 AccessToken, and also instead of embedding a random to the JS accessible portion of the JWT and set it as a form field. We directly set a part of the access token to the Authorization header to prevent CSRF attacks.