A short blog post but I’ve also realised that the CSRF token isn’t required to be within a form. It can be placed within your tags. Generally I think in future cases I won’t add additional token tags as they do produce the same token despite having two tags in different locations on the same page.
Example header token CSRF