First, is CORS necessary here? Are they running JavaScript code being loaded in a page from a different server that is trying to access your server? (If not, then CORS isn’t relevent here.)
Have you looked at the browser’s developer tools to see if the cookie is included in the response from the server?
(Did you try not specifying the port numbers in the CSRF and COOKIE settings? There’s one of these settings that you don’t specify a port, I don’t remember right off-hand which one it is. Maybe it’s both?)
The SESSION_COOKIE_DOMAIN definitely does not include the scheme. It should be “localserver”. However, in general, unless you’re sharing cookies across servers in a DNS domain, I’d recommend removing that setting.
I’d also suggest removing the SESSION_COOKIE_SAMESITE setting unless you have an identified need for it.