I'm kind of behind the curve when it comes to OWASP for web, compared to #phoenix authors, but it seems like my header-based MITM / replay prevention called Chappy does the same thing as the CSRF-mitigation.
I'm such a "not invented here" guy, holy shit.