It's pretty hard/near impossible to return a file via an XHR/AJAX response. Traditionally a web-browser would just open the URL to which the file would be downloaded from, which makes JWT authentication tricky as you can't pass custom headers on this type of request (and thus your request can't be authenticated/trusted).
Our workaround for this was to have our filter also look the JWT in a query parameter on the URL.
Like @awzurn already explained, in the absence cookies one would need to to pass token through the URL (Signed URL).
Ideally, that token would contain only permission to download that specific file for certain period of time. That said, one additional filter would have to be implemented to look for token in the URL.
Any suggestions as to why this may be?