A little bit of personal understanding:
if your website is all your own internal addresses, it should be fine with token. But if in some places such as forums, there may be all kinds of links on a website, then there is a problem.
A forum website W: https://img.codeshelper.com/upload/img/2021/04/09/u4ltea0d3ir15850 "http://a.com" rel=" nofollow noreferrer "> http://a.com. If the address of a link in the forum is article.html?id= & token= , there is a dangerous link article.html?id=222&token=111,. The page is edited by the user. It has a seductive address https://img.codeshelper.com/upload/img/2021/04/09/u4ltea0d3ir15850 "http://d.com/danger.html," rel=" nofollow noreferrer "> http://d.com/danger.html, has a way to get Referer in danger.html, and there is a token, and a picture http://a.com/modifyPwd?token=*">

1. user U logged in to forum W, authorization succeeded
2. user clicks the link article.html?id=222&token=111,
3. users clicked on the seductive URL https://img.codeshelper.com/upload/img/2021/04/09/u4ltea0d3ir15850 "http://d.com/danger.html" rel=" nofollow noreferrer "> http://d.com/danger.html
https://img.codeshelper.com/upload/img/2021/04/09/u4ltea0d3ir15850 "http://a.com/modifyPwd?token=" rel=" nofollow noreferrer "> http://a.com/modifyPwd?token=* is issued through img within
4. danger.html
5. Cross-domain attack succeeded