I'm curious…

CSRF = Cross-Site Request Forgery
So the CSRF token is probably to prevent CSRF from happening.

Suppose that to follow someone on Scratch, the website simply sends a server a request to follow a user with a specified account name, like this: http://scratch.mit.edu/follow?=<account>. The exact mechanisms to follow someone are much more complex but it is the same conceptually.

The form doesn't need to include your account name, since it can be assumed that you will be logged in when following someone. Say then, “someone” posts the link "http://scratch.mit.edu/follow?=SavetheAtlantic". Then, whenever someone clicks on it and they are logged into Scratch, a request is sent to the server saying you wish to follow SavetheAtlantic, and since you're logged in, it deems it legitimate. This is a cross-site request forgery, or CSRF.

A CSRF token is a long, random number that is designed to be impossible to guess. Each user gets a unique one that belongs to them and it is stored in their browser as a cookie. It then asks for it to verify that you are in fact, you. A malicious user would then not be able to pull off that trick from before, since they don't have your token.