Was this ever figured out? I'm having the exact same problem - happens when I try to submit from an AEM form to an AEM servlet endpoint, and I did all the correct configuration in CSRF and excluded the path in the authentication manager. All my servlet has in it is an empty "doPost" override.