So if I just forward the cookie header (which contains the access-token), wouldn't that be just what I am not supposed to do. I mean what's the point of using 'HttpOnly' flag if I return the token to the client-side js on every request.

Again, this is all opinion-based, and due to the sheer number of developers who rely on this technology as their bread and butter, sub-communities and religiousness forms around patterns, anti-patterns, practices, de-facto standards, micro-packages, polyfills, frameworks, build-tools, etc.

Examples

there are two key elements to an anti-pattern that distinguish it from a bad habit, bad practice, or bad idea