I have a very optimal architecture in which the first request is completely valid without sending any CSRF (actions such as login, create account and recover password).
This is because the CSRF is created in this same first request, when entering any part only html is displayed, the backend is only when performing actions such as sending forms.
information requested for each form:
login - username and password
signup - username, password and repeat password
recover - only username (send an email to the established mail)
CSRF is sent even, for example, if the login fails.
With the session cookie is exactly the same, the first request is created.
localStorage is used to store the csrf.
Edit: When someone sends an invalid csrf what I do is delete the session, establish a new one and also send a new csrf. It's okay? (obviously, in this case only actions are allowed without session started, for example, create account, login and recover).
Anyway, this presents a security problem? Examples?