This was simply a user error. I'd been using the csrf package and hadn't spotted that the package to use next time around was a subtly different name - csurf.