Using the net/http https://pkg.go.dev/net/http#CrossOriginProtection available from Go 1.25, I was able to properly set up deterrence against CSRF in a manner that solves my problem.

Only trusted origins are allowed to make requests to my API and since all modern browsers send Origin, Referer as well as Sec-Fetch-Site headers, this means the threat is mitigated.

The only concession is older browsers are not supported, but in truth, my use case does not need to support pre-2010 browsers - upgrade your browsers!