I am uncertain that the auth_token provides any real protection
At best, the auth_token protects against a blind POST, but it does not
provide security because an attack can get a valid auth_token with a
GET and then perform the POST.
Assuming that an attack can forge requests on behalf of an authorized
user with an established session (cookie), nothing prevents the attack
from first fetching the form and valid token, then submitting the form
with valid token on behalf of the user.
The attack can behave just like the authorized user would: GET the
form and token, then POST the form and token, so how does the
auth_token provide any protection against CSRF?