Hi Justin, how is it working for you now?
Because it might not be relevant for iframes... in this case your app does not make API calls to the analytical backend where it needs to be authenticated, but you are embedding part of our application which needs to have active authenticated session. If you use OIDC, the iframe should be checking by itself if there's an active session in your browser.
There might be an issue if the cookies are considered 3rd party (your app domain doesn't match with the gooddata domain) - this is usually solved by whitelabeling the gooddata environment with custom hostname.
There are also other authentication options for iframe (injected API token or JWT), but these might require a bit more development.