First, I want to show useful debugging tips for CSRF. Developer tools Network tab show useful information.

My problem was that I am accessing site in http rather than https. But since this is development environment, and for debugging purpose, CSRF_COOKIE_SECURE should be False. But I already set CSRF_COOKIE_SECURE=False in .env. My issue was that CSRF_COOKIE_SECURE read from .env file but it read as str instead of bool which is causing the issue.