You have a couple of options for storing tokens or other secrets like API keys that only need to be presented to a remote server.
* Secure, HTTPOnly cookies. This requires that your servers live on the same domain as the web page is being served from, but cookies will transparently be attached to any request and are unavailable to be exfiltrated.
* Some secrets can be stored outside of the browser javascript context so again can't be exfiltrated. This is pretty limited, but WebAuthn uses this for example.
* Keep the secrets server side in a session. You are still vulnerable to session riding, but not exfiltration of tokens.
* Secure, HTTPOnly cookies. This requires that your servers live on the same domain as the web page is being served from, but cookies will transparently be attached to any request and are unavailable to be exfiltrated.
* Some secrets can be stored outside of the browser javascript context so again can't be exfiltrated. This is pretty limited, but WebAuthn uses this for example.
* Keep the secrets server side in a session. You are still vulnerable to session riding, but not exfiltration of tokens.