Use idempotency token of some sort for write actions

Using an csrf token would probably work in the frontend. As long as it is properly invalidated after a request.
But additional care is needed when the frontend allows for a retry with a new csrf token as this request would still result in a valid response but without any write being performed (because Apollo would remember the idempotency token, but not the changed csrf token).