CSRF Token not working for creating an end user's section subscription

Hi there,

I'm trying to create my own version of the "subscribe" button for a section in an attempt to make a version of this button that will also subscribe the end user to all of the section's subsections. I was under the impression that I could take advantage of the CSRF token described here to make the POST/DELETE requests needed to "follow" or "unfollow."

So far, however, my attempts have been unsuccessful, and it isn't clear to me if this token can actually be used for this purpose. 

Strangely, I did discover that the "list section subscription" endpoint works even without any token or authentication header for an end user, which I don't really understand. 

I'd be grateful for any information or suggestions.