If a personโs traffic is monitored, the hacker will most likely also receive a token. But that sounds like a great plan. I would try adding honeypot. Try to disguise the token as something else, so this is not obvious. If this happens, send the bad user to honeypot so they donโt know what they were.
My security philosophy is simple and better illustrated by history.
Two men walk in the woods. They see a bear, a freak and start to run. When a bear catches up with them, and one of them tells the other, "we will never defeat this bear." another guy replies: "I do not need to overtake the bear, I only need to overtake you!"
Everything you can add to your site to make it more secure will get better. Use the framework, check all inputs (including everything in any public method), and you should be fine.
If you store sensitive data, I would install a second sql server without internet access. Ensure that your server server constantly accesses your front-end server by pulling and replacing sensitive data with dummy data. If your front-end server needs this sensitive data, which most likely uses a special method that uses another database user (who has access) to pull it from an external server. Someone will have to fully own the machine to understand this ... and still take enough time for you to pull out the plug. Most likely, they will pull all your data before they realize that it is a fake ... haha.
I would like to have a good decision on how best to protect my clients in order to avoid CSRF. But what you have seems like a pretty good deterrent.