CSRF on token deletion endpoint missing

[phavekes]

This issue is imported from pivotal - Originaly created at Nov 6, 2023 by Peter Havekes

The endpoint
/recovery-token/delete/ does not require a valid CSRF token - deletion can be invoked via requests
initiated from other origins through prior knowledge of the UUID

[johanib]

Probably best to convert Delete to a symfony form.

---

Also, check if there are more routes that do not use the CSRF protection.