I know, I have the same problem. The Atlassian JWT is designed to be used for calling the REST API from the host product. Atlassian will make sure that the JWT token remains valid as long as the user is signed in.
The general idea is that you provide your own session authentication (being JWT or http-only cookies) for the (subsequent) calls to your REST service. You can use the Atlassian JWT token for the initial communication with your own service to identify the user. After you have established the validity of the user, you can replace the Atlassian JWT with your own.