After getting the access token with hybrid or authorization code flow to keep them from the browser it seems stupid to use SaveTokens = true in the (ASP.NET Core) OpenIdConnect middleware so that they end up in the browser again.
What is a better way to store the access token using the middleware?
Using SaveTokens the middleware stores the tokens in the cookie along with a users claims. Whilst this cookie might be stored in a browser it's protected so only that application can read it. The browser or client side code cannot read the cookie. So they're not really ending up in the browser (like they would using the implicit grant type).
Otherwise what you would need to do is create a token store, looking up tokens either by authenticated user or by session.
ASP.NET Core Identity has a table for storing tokens for a user you could look into using, but then this would mean all of your applications have to integrate with the ASP.NET Identity library and a token could be accessed by any app.