This doesn’t answer your question directly, but instead it shows a working solution of using AJAX with CakePHP 4 and CSRF and as a bonus the form tampering protection too: -
In there it doesn’t access the token directly from getParam(), but uses the CakePHP form creator to populate the hidden field it uses for passing the token (so its in the form, not the header). It may help.