"MOREOVER, Sec-Fetch-Site obviates the need for csrf tokens.", you're just posting misinformation, you are flat out wrong.
"It is important to note that Fetch Metadata headers should be implemented as an additional layer defense in depth concept. This attribute should not replace a [sic] CSRF tokens (or equivalent framework protections)." -- OWASP; https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Re...
That quote is probably referring to the limitations listed later on the page (https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Re...). I think if you understood that this was the caveat, you wouldn’t use the phrasing “flat out wrong” or have brought up all the irrelevant stuff about client/server security earlier in the thread. You have some kind of deeper misunderstanding, but it’s not clear where.
Once again, you have no idea what you're talking about. Moreover, you lack critical thinking skills - the Sec-Fetch-Site section in that doc is senseless and will now be modified to say that Sec-Fetch-Site is sufficient on its own.
"It is important to note that Fetch Metadata headers should be implemented as an additional layer defense in depth concept. This attribute should not replace a [sic] CSRF tokens (or equivalent framework protections)." -- OWASP; https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Re...