BFF is not great for long term security, notably token binding. It's hard enough to bind an artifact to the browser session from the IDP - having each app implement binding passthrough from browser to app to IDP is even worse.

Doesn't this also mean you have to actually have a back end for your site? Can't just host an spa on static web hosting on a cdn.