An attacker himself cannot make a request. What he can do is trick his victim (or the victim browser) into making this request. Thus, any response will return to the victim’s browser.
The problem is that an attacker can choose a URL, and even without seeing the answer, access to this URL can have harmful consequences for the victim.
The reason the attacker must trick the victim in order to make a request (as opposed to simply accessing the URL itself) is because if the victim does this, the victim’s session cookies will also be sent together, so this looks like an authenticated action for the server .
If I set the token to hidden input and the .html page loads, the attacker can also make a "get html" request to get this .html page and read the value of the hidden page.
An attacker can only get hidden input for his session, and not for the victim's session. This hidden input will differ from session to session (otherwise there is no point).
The CSRF toner ensures that each (critical) request includes a random piece of data that must correspond to a user session. Thus, an attacker cannot just guess what the full URL will be and trick someone by clicking on it.