In case of SPA there is no redirection from backend as it’s SPA, not MPA. You are “redirected to the JavaScript code” from the Authorization Server. That is why the token is retrieved by JavaScript and has to be saved by JavaScript. Of course, you can implement the additional backend (besides API) but it would not be SPA anymore AFAIK.

You can (and should) use the authorization code and the JavaScript can get the code and exchange it for the token — that requires CORS. In fact, that could be the moment when Authorization Server sets cookies in your browser and do not pass it to the JavaScript. But then you would be able to send the token only to the Authorization Server and not to your API (unless you run them on the same origin).