While researching it some more it seems that using SameSite=lax and making sure that only POST requests change state should be enough, additionally I might check for Sec-Fetch-Site and referrer headers and block the request if the value wrong
While researching it some more it seems that using SameSite=lax and making sure that only POST requests change state should be enough, additionally I might check for Sec-Fetch-Site and referrer headers and block the request if the value wrong