Is storing an OAuth 2 token in cookies bad practice? If so, what are alternatives for a web app?
I definitely wouldn't do it. When security is involved you should not store stuff, in places where others can access it. So don't store it anywhere, especially client-side.
That being said, it's not bad practice, per se if handled properly. See this comprehensive article about it.