In terms of guidance about CSRF protection in login scenarios I think it pretty much boils down to what James already mentioned, that is, you should employ CSRF protections for this scenario. In terms of what is contained in the documentation, if we focus solely on that single phrase you mentioned that states that a CSRF attack can occur by a malicious actor performing an unwanted action on an authenticated site I would agree that this could be interpreted as only considering scenarios where the user is already authenticated, however, I don’t see this as implying that the login scenario is excluded and only see it as an example (likely the most common one) of that attack.
In addition, when the whole page focus on a technique to prevent CSRF on OIDC/OAuth 2.0 transactions then it would be hard to say that it is excluding login scenarios from this attack vector. As an additional and more personal note I would say it’s likely better to mitigate against CSRF everywhere then to try to review if specific scenarios require this or not. However, this is mostly a personal opinion and there will likely be scenarios where you could omit such protection, but they will be likely very specific to the application/system in question so it’s hard to voice an opinion on it without knowing the entire system.