Acceptable OAuth Flow for a decoupled frontend/Backend Architecture?

I have a NextJS frontend and Golang backend architecture with an authentication system using JWTs and an internal user/password database. I'm adding OAuth sign-in in addition to the JWT system, but all API calls will still be maintained using JWTs. I have a working prototype that uses the following OAuth flow:

1. User is directed to a NextJS page that displays various login options as buttons.
2. When a provider is chosen, the user is redirected to the backend at /auth/provider where they are then redirected to the provider with all required keys and callback links.
3. User logs in at the provider and the redirect is triggered to /auth/provider/callback.
4. The backend server retrieves the user data from the callback and connects the user email to the internal user data for generating a JWT.
5. The backend returns a page that stores the JWT in local storage and redirects to a NextJS page.
6. The NextJS page can then use the stored JWT to make API calls.
7. An additional step could be to exchange the JWT for a new, non-stored JWT or session cookie if the JWT is used twice (potential XSS attempt) and the new JWT is invalidated.

The above method works, but requires a locally stored JWT. Is this a concern, and is it possible to complete the final steps without the need for a locally stored JWT.

Does this flow make sense or am i going about it all wrong? Would swapping to PKCE be overkill?

For the current prototype I'm using the github.com/markbates/goth example code running as the golang backend and a basic NEXTjs server

In effect you have a form of backend for frontend there. It is worth browsing OAuth for browser based apps a little similar to section 6.2 of the above doc.

One option might be to host the backend at a URL like https://api.example.com, then make it write cookies for the Next.js app, hosted at a URL like https://www.example.com.

In this way the backend and frontend parts of the OAuth flow are decoupled, and you also avoid locally stored JWTs. Note the same domain prerequisite, needed for the cookie to be considered first-party, and therefore avoid being dropped by browsers later.