For anyone interested, I've decided to disable Django's CSRF protection and now the mobile client (android specifically) can make logout request by sending only the session id as header.

One can check how to disable it here, provided by Saeed user