The solution to this problem is to return a CSRF token to the client once the user is authenticated. If the user then makes a write Operation (Mutation), the client would have to send along this token.
An attacker who's tricking our user on their own fake website would still be able to use the cookie of the user. However, they wouldn't have access to the CSRF token. This way, it's possible to prevent attackers to make actions on behalf of a user if they don't have the matching CSRF token.
In reality, many developers might not be aware of this problem or don't know how to address it.
One problem less to worry about! =)