I have problem setting up cookies for cross site domains:

frontend staging:

ucap-fs.up.railway.app

backend staging:

ucap-bs.up.railway.app

Tech stack:
Django, Rest Framework

React + Vite, Axios

When I login successful, I can't proceed to any post requests, always show 403 forbidden. I have the following setup in django settings.py:

ALLOWED_HOSTS = ["ucap-bs.up.railway.app"]

CORS_ALLOWED_ORIGINS = ["https://ucap-fs.up.railway.app"]
CSRF_TRUSTED_ORIGINS = ["https://ucap-fs.up.railway.app"]

CORS_ALLOW_CREDENTIALS = True

SESSION_COOKIE_SAMESITE = "None"
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_PARTITIONED = True

CSRF_COOKIE_SAMESITE = "None"
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_HTTPONLY = False
CSRF_COOKIE_PARTITIONED = True

USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

Axios Client setup:

const axiosClient = axios.create({
  baseURL: import.meta.env.VITE_API_URL,
  withCredentials: true,
  withXSRFToken: true,
  xsrfCookieName: "csrftoken",
  xsrfHeaderName: "X-CSRFToken",
});

When I log in Cookies show (no sessionid):

https://ucap-fs.up.railway.app > csrftoken > value: q49EebR7XFC2HiiKy5UWMWJDqdnwyOPz, domain: ucap-bs.up.railway.app

csrf/ 200 ok:

Response headers:

set-cookie csrftoken=2m1C5noKaHHbiu0Xmawnv8OHEZxD7QWW; expires=Sun, 22 Nov 2026 04:15:35 GMT; Max-Age=31449600; Partitioned; Path=/; SameSite=None; Secure

Request headers:

cookie csrftoken=eFf1cQZ0QGOCsxtU1Rt5f6oJbUGWktp2; csrftoken=2m1C5noKaHHbiu0Xmawnv8OHEZxD7QWW

login/ 200 ok

Response headers:

set-cookie: csrftoken=iT6H2JLu04xp1N9PGekddYDaBxVIILFC; expires=Sun, 22 Nov 2026 04:15:36 GMT; Max-Age=31449600; Path=/; SameSite=None; Secure

set-cookie: sessionid=g6xwh01rvqzez1m65fkdcu1tjcrsx774; expires=Sun, 23 Nov 2025 04:30:36 GMT; HttpOnly; Max-Age=900; Path=/; SameSite=None; Secure

Request headers:

cookie: csrftoken=2m1C5noKaHHbiu0Xmawnv8OHEZxD7QWW; csrftoken=2m1C5noKaHHbiu0Xmawnv8OHEZxD7QWW