Typically, you should place these kinds of routes outside of the web middleware group that Laravel applies to all routes in the routes/web.php file.

Even in test cases its only for convenience that the CSRF middleware is automatically disabled for all routes.