Active Directory setup for .Net backed React SPA

I am tasked with setting up Okta for a project with has a .Net WebAPI backend and the front end being a react (JS) SPA. Currently the application is using a SAML implementation with JWT.

What is the best practise for this scenario? Should I continue to use JWT and drive authentication from the client side? Or is it better to have the client side submit login information to the .Net backend, and perform the authentication from the server side?

Also , does Okta have a AD sandbox? Or do I need to setup my own and connect it to my Okta dev account?

~Shea M