As per estrat’s post, we solved the issue with the addition of a url parameter that forces user confirmation that they’re on the correct account.
Adding a method to get the CSRF token completely negates the point of a CSRF token in the first place, and removing the CSRF check would re-open the security vulnerability that it’s meant to negate.