For future reference, Netlify redirects erase all data after # — and the magic link urls from Supabase contain a #, after which all of the tokens are included.
I solved this by first redirecting the magic link to a client side page, then taking the refresh token from the magic link url in the browser and submitting it as a query parameter in an XHR request to a Netlify function page, and authenticating by getting the refresh token from the query parameter in the Netlify function page and sending it to Supabase with this code (after creating the Supabase client in the Netlify function page):
const { data, error } = await supabase.auth.refreshSession({ refresh_token })
const { session, user } = data
I also learned that Netlify redirects in general erase query parameters, and the redirect or Netlify.toml file must be adjusted to include query parameters that should be included on the redirect (documentation here: Redirect options | Netlify Docs)