The Action<CookieAuthenticationOptions> has the [PathString] LoginPath and [PathString] AccessDeniedPath properties available to it, including the Cookie that is in the process of being constructed (CookieBuilder) and the CookieManager.
I'm not sure if it's absolutely necessary, but I feel fairly confident that you could attach a handler to one or more CookieAuthenticationOptions.Events that re-writes the cookie's path properties accordingly using the provided RedirectContext passed to the handler. See ref - CookieAuthenticationHandler to examine the details of how the path strings are used. In particular, you might look at the CookieAuthenticationEvents:RedirectToAccessDenied and CookieAuthenticationEvents:RedirectToLogin.
That said, I would first want to verify that you're not missing out on a way to get what you want via what's already built-in. Assuming your setup is something like
services.AddMvc(options => { options.Filters.Add(new MiddlewareFilterAttribute(typeof(LocalizationPipeline))); });
I would think that the RouteDataRequestCultureProviderwould handle appending the culture to the /Auth/Forbidden URL that ends up being issued, hinting that there might be a more optimal solution somewhere in how the components are being configured rather than in custom rewriting of paths.
Some additional references:
https://andrewlock.net/url-culture-provider-using-middleware-as-mvc-filter-in-asp-net-core-1-1-0/
https://github.com/aspnet/Security/blob/488eb44467eb677eab62bdc49aa6255cc1be3119/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs
{culture}/Auth/Forbidden?