The DELETE method is listed in Validator::NO_BODY_METHODS, which means that body validation is skipped for it. However, this makes it impossible to provide a CSRF token to any endpoint using DELETE, and I can't think of sensible alternatives.
As far as I can see, no specification forbids a request body for DELETE requests. Some do mention that the behaviour could be undefined, or that the server may reject the request (e.g. RFC 7231); hence, ignoring the body is fine. However, processing the body should also be fine and the CSRF token seem to be a valid use case (at least until we'll have better support for using OAuth tokens instead of cookies). So I'd propose that the request body would not be ignored for DELETE requests.
(As a case in point, here is an endpoint in the CampaignEvents extension that uses DELETE and also needs to check the CSRF token)