Long story short: including the stage marker for authentication synced up the execution of the okta oidc middleware with the default CookieAuthenticationOptions. So no overriding OnApplyRedirect on the CookieAuthenticationProvider.
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOktaMvc(new OktaMvcOptions()
{
OktaDomain = OidcDomain,
ClientId = ClientId,
ClientSecret = ClientSecret,
AuthorizationServerId = AuthorizationServerId,
RedirectUri = RedirectUri,
PostLogoutRedirectUri = PostLogoutRedirectUri,
GetClaimsFromUserInfoEndpoint = GetClaimsFromUserInfoEndpoint,
Scope = new List<string> { "profile" },
});
//Use a stage marker to force the above middleware to execute during Authentication
//so that an oidc token is loaded before we LoadPrincipal in PostAuthenticate where a challenge may be issued
app.UseStageMarker(PipelineStage.Authenticate);