Most of the time, when your site is vulnerable to XSS, it's most likely game over. (Even if you put the tokens in httpOnly cookies, the attacker can still invoke the http request that will send the cookies).

Storing the token in a variable makes it harder for the attacker to access compared to local or session storage where they can just dump that data somewhere without needing to dig some more.