A little more digging, and I’m seeing two likely session cookies for my app, named ring-session, and anvilapp. Both are both marked as HTTP Only cookies, which would explain why the Javascript call wouldn’t use them.
Having a session cookie as HTTP Only makes good sense from a security standpoint, sadly, so it doesn’t look like I’ll be able to do what I’m trying to do. At least not with standard sessions.