Thanks @jmangelo.
The difficulty I have is balancing the problems we’ve had using the CSRF protection (Safari localStorage forgetting state value used for CSRF protection) with the benefit it provides, but as you say that depends on the rest of the system.
So far I’ve been unable to explain in business terms to the business user what the the consequences would be of not having CSRF - e.g. describing the severity of the potential vulnerabilities it could open.
Thanks for your input.