It seems that OAuth authorization sometimes expires, and csrf tokens are not longer returned when requested until the user reauthorizes the app.
If that is intentional (hopefully not), I have not found any documentation about the circumstances under which to expect that.