Problem resolved here:
The XSRF token is encrypted and in fact it is the same token.
You cannot and should not disable Laravel's Set Cookie header, which it sends to SPA API requests (for my case with CSRF-protection).
The /sanctum/csrf-cookie is needed in order to be sure that the SPA has a token, because it may not send GET requests when the page loads, as in my case