Would “same-origin cookies” make sense?

Yes it would definitely make sense and there is a proposition about this (Origin Bound cookies).

SameSite=Strict & Lax are a very good protection against CSRF but hacked subdomains remain a way to attack – for example, hacked.example.com can forge credentialed requests to example.com easily.

Fot this, you can actually use the __Host- cookie prefix. On browsers with support for cookie prefixes, it is not possible to set them across domains: this way your are sure that the cookie actually comes from example.com and not hacked.example.com.

However, there is currently no way to bind a cookie to a (domain, port) pair. As I’m discussing on a bug entry, this is especially problematic for localhost-bound non-HTTPS web server: another local user can exfiltrate your cookies by spawning a local server on another port and tricking you into browser to this web server.