Should I use local/session storage or cookie to store access/refresh token?

I created an api that sends a user "access token" and "refresh token" in order to use them for authentication and refresh the access token.

I'm using Angular on client side , the problem I have there is a lot of discussion and ways to store those tokens like localstorage, sessionStorage and Cookie.

Which one should I use , because each time I google I find they have downside for example I see CSRF and XSS attacks , and cookie aren't restful etc.

The idea I have is : Store access token , when I get "401" error I use refresh token to get a new access token both of them I think storing them in SessionStorage.

Or should I use a long lived access token that expire after a long time?