Add SameSite Cookies as a Second Line of Defense

I already have CSRF tokens turned on. Now I want to harden my session cookies with the SameSite attribute as defense in depth.

Explain and then change my config so that:
1. My session cookie is set with SameSite=Lax (or Strict, and you tell me which fits my app)
2. I understand what each value means: None / Lax / Strict, and what breaks with each
3. I know which cross-origin requests will stop working after the change (for example, logins via an external link)
4. My cookie is also marked Secure and HttpOnly where appropriate

My stack: [your framework here]
Do I have any third-party sites that POST to me legitimately? [yes/no, details]

I am learning, so explain each part simply and call out any surprise that might break users.