Well, thanks again for the help @Toerktumlare, the solution basically is the following, based on the content linked in your comments:

• I created the SpaCsrfTokenRequestHandler class, combining the single-page application (handle and resolveCsrfTokenValue methods) and the deferred token opt-out (calling setCsrfRequestAttributeName with null) solutions from the linked documentation
• I added it as csrfTokenRequestHandler to the HttpSecurity CSRF configuration
• I created the CsrfCookieFilter class from the documentation, I added it to the HttpSecurity configuration
• I added the /login endpoint to be ignored in the CSRF configuration

This way when the /login is invoked with POST, it is ignored by the CSRF check so it is allowed, but due to the deferred opt-out config, a CSRF token is being generated and returned in the HTTP response. Also I get the expected HTTP 204 response for the login, instead of a 302 redirect. I can use the token from the response in the subsequent POST calls (I made the appropriate changes on our front-end too).