A few more links that I collected recently on the topic

https://github.com/golang/go/issues/73626

https://developer.mozilla.org/en-US/docs/Web/Security/Attack...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...

https://web.dev/articles/fetch-metadata

https://appliedgo.net/spotlight/csrf-dont-mess-with-my-site/

And some older ones that focused on Origin header rather than sec-fetch-*

https://www.sjoerdlangkemper.nl/2019/02/27/prevent-csrf-with...

https://www.brandur.org/fragments/origin

https://srungta.github.io/blog/start-right/ui-nonce