This is what I found when I had to fix the same error:
When a user signs into an app, and if there is no ‘Get entry’ or ‘Get list’ in the microflows between clicking the signin button and rendering the homepage, then there is no csrf token for SAP available in the session.
The scrf token for SAP is generated at the moment that the first ‘Get entry’ or ‘Get list’ action is executed. For example, when the user clicks a button that has a microflow with a ‘Get entry’ or ‘Get list’ behind it.
The token is valid for the duration of the session and Mendix will automatically use it for any subsequent ‘Create’ actions.
If you perform a ‘Create’ before any ‘Get entry’ or ‘Get list’ is executed, you will receive the ‘csrf token validation failed’ error.
So what I have done in our app is the following: before any ‘Create’ I first check if there is a csrf token associated with the session. I do a retrieve, get a list and take the head to get the latest one. If this is not empty, and has a value, I use it. If it is empty, I do a ‘Get entry’ and then Mendix can take it from there.
Note: the csrf token for SAP is not the attribute CSRFToken of Session, it is the attribute csrfTokenValue of CSRFToken, an entity that is associated to Session.