This seems like a great way to pull out session identity from cookies and sidestep a lot of the baggage there.

I would caution framing it as a secure replacement for cookies, it’s a secure replacement for session ID token cookies. Tons of cookies aren’t just opaque IDs.