If you are going to use Bearer Token from browser app then you will need to allow_cors in site_config.json of your ERPNext site. By using bearer token you don’t get any cookie. You can query the userinfo endpoint (/api/method/frappe.integrations.oauth2.openid_profile) with access token in Authorization header and get details about the user.
If you are going to use it with cookies you need to serve your react app along with ERPNext site on the same domain. Either use nginx to reverse proxy additional route or Add Single Page Application to website portal page