Jira Server OAuth 1.0a authentication with SPA

I am building an application that pulls information from the Jira Server API to generate some graphs / data summaries. The application is built with a React frontend and a NestJS backend. The data flow of the application looks like this,

1. Authenticated frontend user requests chart for a specific Jira project to the backend.

2. The backend API has a cache of most Jira issue data needed to build the chart, but makes a request to the Jira API asking for any new or updated issues since the last time they had been updated in the backend.

3. New Jira issue data is processed.

4. Backend returns complete chart data to the frontend.

Currently as I am early in development, the request to Jira is made using a temporary user with full access to Jira. I would like to switch this to a system where each user "links" their Jira account to their account in the application to leverage the access control implemented in Jira. Currently authentication for the application is done using AzureAD for Microsoft SSO on the frontend using the msal-react library, then requests are authenticated by the backend using passport-azure-ad library's BearerStrategy.

Here lies the issue I am trying to figure out. I need to authenticate with Jira using OAuth 1.0a because unfortunately that is all that the Jira Server edition supports. Based on my research this is only possible in a more traditional "Client <-> Server <-> Jira API" flow. But since the backend server isn't hosting the frontend my setup can't work like that.

The callback URL configured in the Jira Application Link can't be the frontend since the OAuth 1.0a standard requires the use of private keys, which cant be handled on the frontend. I was instead thinking of having the callback URL be hosted by the backend so the user on the frontend clicks a "Link with Jira" button that opens a new tab where they authenticate with Jira, then Jira returns the token an endpoint on the backend.

One problem with this solution is I'm not sure how I can then associate that token with the correct user in my system as the information from Jira authentication won't have any ID associated with the systems user ID, it would only contain the Jira user's ID which at this time my system has no knowledge of. I'm also wondering if there is a better way to solve this problem, this just seems like the most likely, albeit incomplete, solution path.