https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern
There is already a domain check on the HTTP Referer for all POST requests #565, but a token (in addition or instead) would be better.