The reason checkout shows denied usually isn’t just where the Cookiebot script loads. It’s about whether your CMP consent is being synced into Shopify’s Customer Privacy API.
Here’s the pattern I’ve seen: the CMP sets consent state on the storefront, but the checkout sandbox doesn’t automatically read your CMP cookie or GTM dataLayer state. Shopify-managed checkout/pixels rely on Shopify’s own customer privacy state. So if nothing bridges your CMP decision into Shopify’s Customer Privacy API, checkout can still behave as if analytics/marketing consent is denied, even after the user clicked Accept.
The Cookiebot Shopify app should handle this sync. A manual theme.liquid install from the generic Cookiebot docs may not. That’s probably where the setup breaks.
Loading Cookiebot via GTM, as Dmytro suggested, can work if the Stape app is loading GTM inside the checkout sandbox and the CMP logic runs there too. But I get your concern: it can delay the banner. On slower connections/mobile, that delay between page load and banner render is not ideal.
There is a third option worth testing: Stape released a Shopify Customer Privacy API tag for GTM web. You could keep Cookiebot in theme.liquid for fast banner load, then use that tag to sync the accepted/rejected state into Shopify’s Customer Privacy API when Cookiebot fires its consent callbacks.
That gives you the best of both setups: fast banner load on the storefront, and correct Shopify consent state for checkout.
The thing I would verify first: accept consent on the storefront, go to checkout, open DevTools, and inspect Shopify’s consent state / _tracking_consent behavior. If analytics and marketing still appear denied after acceptance, the CMP → Shopify sync is not working.