Matt Raible
You are right. In my experience, you don’t need CSRF unless you’re on the same domain. Also SameSite cookies might make it so CSRF isn’t necessary.
I recommend checking out JHipster. It allows you to create apps like the one here, but with much less code.