I installed the SameSite plug-in which mimics the default PHP setcookie behavior and adds the additional parameter (samesite) to the cookie. I set the plug-in configuration in wp-config.php with:
define( 'WP_SAMESITE_COOKIE', 'None' );
By setting the configuration of samesite=None, browsers will not enforce SameSite rules that are used to prevent CSRF. From the Mozilla blog:
Attackers can abuse the fact that cookies are automatically sent with every request to force a user to perform unwanted actions on the site where they are currently logged in. Such attacks, known as cross-site request forgeries (CSRF), allow attackers who control third-party code to perform fraudulent actions on the user’s behalf. Unfortunately current web architecture does not allow web applications to reliably distinguish between actions initiated by the user and those that are initiated by any of the third-party gadgets or scripts that they rely on.
To compensate, the same-site cookie attribute allows a web application to advise the browser that cookies should only be sent if the request originates from the website the cookie came from. Requests triggered from a URL different than the one that appears in the URL bar will not include any of the cookies tagged with this new attribute.
For this use internal case, it will allow WordPress to be loaded via an iFrame.