@beng in case this is still actual, you may want to overwrite the way the CSRF token is generated to have them identical to the Cake3 way in a self-made CsrfProtectionMiddleware. It is not ideal, but the recent changes regarding this not being retro compatible, I had the same issue as the one you mention. Better than disabling the CSRF middleware.
/**
* @inheritDoc
*/
protected function _verifyToken(string $token): bool
{
return true;
}
/**
* @inheritDoc
*/
public function createToken(): string
{
return hash('sha512', Security::randomBytes(static::TOKEN_VALUE_LENGTH), false);
}