Thanks for everyone's help! This has finally been solved. I hope this thread will help someone in the future.
The problem was the cache server didn't have my domain as an exception. I'm not sure if it's because the cache didn't work, causing the session not to work, resulting in the CSRF token being generated on each refresh.
But the fix was to add the domain to the cache server exception list and everything works normally.
So no need to disable any services or add the following to .htaccess.
