How to properly use JTI claims with JWT to prevent replay attacks?
I can't speak to Java/Spring, but I can try to clarify your concerns regarding JWTs and JTI claims.
Implementing a JTI to uniquely identify a JWT can help prevent replay attacks where an attacker sends the same JWT to make a request. The server would generate the JTI value and send it along with a new JWT on every response. When receiving a new request, the server would have to validate the JTI value (to ensure that it had not been used before). Implementing this does require some sort of persistent storage on the server, which can look more or less like traditional sessions, so it feels a bit weird since one of the advertised benefits of JWT is a "stateless application".
You're absolutely correct about your concern of a man-in-the-middle attack: if someone DOES intercept the JWT (and its single-use JTI) and then makes a request BEFORE you do, their request will be considered valid and YOUR subsequent requests will appear to the server to be "replays" (and the server would consider them invalid).