As a temporary fix using jQuery I've added in;
$.ajaxSetup({
xhrFields: {
withCredentials: true
}
});

Which allows the cookies to be passed. However doesn't resolve the underlying issue of session_id essentially getting ignored after the 1st attempt. I didn't have much luck trying to fix it as of yet.

It may be worth moving away from Joomla's session ID and instead incorporate something like JWT stateless authentication jwt.io/#libraries passed through headers e.g. Authentication: bearer {token}. It can run without the database, although incorporating a custom "token" table in jBackend would enable token revoking functionality.

I've got JWT working for JBackend using HS512 (i've overridden the user plugin on a local build and the libraries for RS256, HS256, etc are there) but it's not comprehensive enough as of yet (I'd like more parameters to enable database checking / token revoking and deeper integration to tell joomla what's going on).

Simply I create a JWT token after a successful login which the client keeps. Then for each call after that I can check both JWT and Cookies (for browser) where JWT can validate the token against a private key (I've got that in a locked config.php file for speed but could be in the component options stored in the db for more global / friendly use) and if it hasn't been tampered with I can take the uid from the token and get the user from there. Then your usual JFactory::getUser($uid); and you can do everything you need from there.

If you want I can share a private Github repository with you?

P.S. The JWT library checks both the validity (based on the signature with private key) and expires of the token.