The authorization header is the standard way to communicate credentials in HTTP. The problem is not the header but token theft. If you can keep the token safe, there is no need to use cookies. However, as the article discusses, tokens are not safe in browsers. The idea is that if the client cannot retrieve the access token via browser APIs, neither can an attacker. The way to achieve this are HTTP-only, same-site cookies. For backchannel requests, such as from the OAuth proxy to APIs, the authorization header is still valid.