Why aren't the xf_user and xf_session cookies set to SameSite Lax? Assuming all forms are using POST then authentication cookies with the SameSite Lax value will not be sent for cross origin requests, eliminating the need for any anti-CSRF tokens at all.
Both Chrome and Firefox now...