As far as I know every time you open new session with website you recieve unique csrf token that is assigned to your session. I did some research on my own and most sources say that websites should not use it to track your activity but it depends on their privacy policy. Lets say I did not use proxy and got assigned token, made config and try thousands of user:pass combinations with same token as in my private session which is illegal. Isn’t it quite dangerous when it comes to opsec?
tl;dr: Does using your private csrf token can cause problems?