These are all good/fair questions. I double checked it internally -
For all new tenants, there have been introduced CSRF prevention affecting the behaviour of passwordless with magic links.
However, it can revoked by updating a tenant flag via the Management API as below:
curl -H "Authorization: Bearer YOUR-MGMT-API-TOKEN" -X PATCH -H "Content-Type: application/json" -d '{"universal_login":{"passwordless":{"allow_magiclink_verify_without_session":true}}}' https://YOUR_SUBDOMAIN.auth0.com/api/v2/tenants/settings
I did the same on my new tenant and the magic link works as normal (so requests can be send from both front and backend)
In case of any further issues / further observations, please reach out so we can collect them and take the needed action!
And thank you for all your checks and feedback!