jwt – How can OAuth2 (tokens) fit into dynamic sites that still wants to call protected API’s via JavaScript?

(I try to understand different concepts regarding web development in general)

Most information I find is about Single Page Applications, but how does a dynamic site make use of (for example) OAuth2/tokens? Maybe we want the pages to be rendered server-side, but have many functions here and there that make use of Websockets or Ajax calls to a web API that is protected.

How can the client/browser know who the user is all the time (for example a username and profile picture in the navbar) and how does the user get authorized or “persist across the lines” with a token that can not be stored anywhere because of XSS and CORS attacks (as I understand is the problem), that at the same time the username/avatar (as an example of what I mean) will still be displayed even when clicking around to other server rendered pages?

Can you help me with a general explanation and/or point me in the right direction to learn more? Recommended books or other sources? I know my technical vocabulary is not good, and that’s also why it’s difficult for me to search myself, and these questions have probably been answered here before also.

Thanks for your time and help.