Your understanding is correct. ASP.NET manages the encryption of your FormsAuthentication token, which is the value of your auth cookie and this prevents tampering, but if sent over the wire via HTTP it is suceptible to third-party theft leading to session hijacking.
To your specific questions:
No, AJAX calls should not compromise the security of your site, specifically because they should indeed work over HTTPS.
Yes. You should run everything under HTTPS when you have a website that requires authentication. With relatively modern computers, the performance impact of running under HTTPS should be minimal. It's always valuable to test given your specific scenario, of course, but as a rule, the impact is a single digit percentage or less, and is not what one would generally consider to be noticeable.