I'm looking into using IdentityServer4 together with ASP.NET WebAPI, Angular and so on.
In most examples of OAuth 2 with Javascript clients I've seen the access tokens is stored in local storage or session storage. I have also read posts where they think that's a bad idea, for example these two: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage and http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/.
Is there any way to use cookies for the APIs instead, like the posts mention, with IdentityServer?
My personal opinion is that session/local storage (depends on your needs) is the right place.
The pre-requisite for that is that your JS code is secure. The only way to enforce that is a restrictive content security policy.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
IOW - CSP is mandatory for every JS application