Contrast looks for recognized industry standard patterns , it doesn't just check whether you're doing CSRF validation. DWR's structure makes CSRF protection non-standard. if your app does not use a specific header(like x-csrf-token) , or if it (your app) sends the token as parameter , or if it validates the token incorrectly or too late (in the request lifecycle), so contrast will likely flag it .

so here is what you can do :
1- you can store csrf token in session, embed it in the page (in a js variable) , then send it via every ajax/dwr request .
contrast expects this kind of setup(it matches secure framework like spring).

i dont how to implement it in java . but u can do like this :
1- generate token in server side , send it to client (like in login as a variable) , then in fronted store it in a js variable.
2-Add the token as a custom header(like x-csrf-token) in DWR (before request sent).
3-Now in server side validate it .