If your http-only cookie is sent on every request, wouldn't XSS also be able to make its own requests, using the cookie, and have those requests appear to come from your domain?

If you're vulnerable to XSS, you're screwed either way. If you're not, then JWT is fine.