Now it seems that you missed to pass "fetch" as value for the x-csrf-token.
In the followng screenshot there is an example:
- The request header contains "x-csrf-token" with value "fetch".
- The response header constains "x-csrf-token" with the token value. This token value then has to be used in the request header as value for the "x-csrf-token".
In UI5 the token handling is done by the OData Model (SAPUI5 SDK - Demo Kit).