There are certain cases where the CSRF tokens are injected into forms and sensitive URLs but are rarely checked and validated on the server side.

That being said, I recall a CSRF vulnerability in Facebook's AppCenter, uncovered by an Indian researcher called Amol Naik, in which he explained how he managed to bypass the AppCenter authentication (the AppCenter is basically a marketplace from which users can install different apps/games to their Facebook profile).

In the authentication phase Amol saw that Facebook was correctly sending their anti-CSRF token fb_dtsg alongside the approval request, however, on the server side, the request was not getting validated and was ignored, which simply meant that their token ...