Short expiry time and rotating tokens sound like something you should be doing in either case. If someone grabs your token, then it doesn't matter whether or not it's stateful or not, you'll have to invalidate it either way by either re-signing a new token with, for example, a changed password, or by removing it from your session state. What if you used a short JWT as an HTTP only cookie? 4096 bytes sounds like a lot of data, makes sense to not send such a large token with each request anyway.
@talon depends on what the tokens are for. It's not straightforward to XSS a bank, at least as far as I know.
@bulkington I'm not looking at it from an attackers side. I'm developing a web app and looking into ways to handle authentication and authorization both for the web frontend and the API, which are separate things.
What if you used a proxy for your web app to store the tokens, keep all it's state contained and off the client, while providing tokens to people implementing your API that may have better means to store the tokens securely? If you have that kind of access to a device then certainly you could be doing much worse than just steal someone's tokens?