I got this to work using guidance from ensuring-secure-cookies-with-url-rewrite
This is what I added to my Web.config file under the <rewrite> tag after the <rules/> block:
<outboundRules>
<rule name="Ensure secure Cookies" preCondition="Missing secure cookie">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None; secure" />
</rule>
<preConditions>
<preCondition name="Missing secure cookie">
<!-- Don't remove the first line here, it does do stuff! -->
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None; secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
So your <rewrite> block should look something like this after:
<rewrite>
<rules>
<!-- Do not interfere with requests for node-inspector debugging -->
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^server.js\/debug[\/]?" />
</rule>
<!-- First we consider whether the incoming URL matches a physical file in the /public folder -->
<rule name="StaticContent">
<action type="Rewrite" url="public{PATH_INFO}"/>
</rule>
<!-- All other URLs are mapped to the node.js site entry point -->
<rule name="DynamicContent">
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True"/>
</conditions>
<action type="Rewrite" url="server.js"/>
</rule>
</rules>
<outboundRules>
<rule name="Ensure secure Cookies" preCondition="Missing secure cookie">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None; secure" />
</rule>
<preConditions>
<preCondition name="Missing secure cookie">
<!-- Don't remove the first line here, it does do stuff! -->
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None; secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>