Is this different to what I am doing?

I am setting individual login session tokens (JWTs) per account (multi_auth.<userId>).

The client uses a "cointer pookie" (I made that term up) to switch between accounts since we don't want to give JS access to the actual session tokens.

My assumption is that using pointer cookies should prevent XSS vulns since in case of a XSS vuln, an attacker could only see which accounts you're linked to. But don't access the actual session tokens.