Securing a serverless application using Cognito

Hi, I am working on an application with the following architecture :

The end users (customers) will connect to the application using Cognito hosted UI and be redirected to the front end UI where they can perform actions through rest api end points at /api/, the backend validates and transforms their request into requests usable by the external application. The administrators connect the same interface but they have extra access to API endpoint located at /api/admin/.

Currently I am using Cognito authorizer on Api Gateway with a single user pool where users belong to either the group "user" where they only access the customer functions of the application or the group "admin" where they have access to everything.

I am using header based authentication (each request to Api gateway should have the Authorization : Bearer TOKEN header. I have the following issues and question.

1. I can't differentiate between user groups to control access using the same user pool
2. I don't want to have to include the authorization header on every request the browser makes, is there a way I could save the token in the cookies and use it in the authorizer on Api Gateway ? (Token source ?)
3. Anyone can access the html from the administrators pages, although this isn't a security issue, I would prefer having the ability to redirect a user to home if he's not an admin or login URL is not logged in

PS: This is my first question/post on re:Post, please let me know if I made mistakes in my message.

Any response or feedback is highly appreciated, Thank you