I think the approach I've seen with

SameSite

is to have two cookies - one

Lax

for GETs or non-destructive access, and another

Strict

one for `POST`s or changing data. But you still have to remember to not do something stupid in the wrong route.