After reading a few things about CSRF it's not really Apache's job to protect. The reason mod_security can protect against c/xsrf is because it actually inspects the request for a great many things. It's more the browsers and web apps job to make sure these things are coming from the right origin. Nothing should ever depend on the Referrer for granting anything because the headers can be forged.
That said, I suggest you read
OWASP's CSRF Prevention Cheat Sheet.
Also, there are Headers you can set to tell browsers how to behave when it comes to your server/site.
See
https://securityheaders.io/. Run a scan on your site and when you get your score, the page in the bottom section has links to explain the various headers. In the case of CSRF, XSS is not always required but quite often helps pull off the attack. There's a header for it. "X-XSS-Protection: 1; mode=block".
Another would be Referrer-Policy. It has a few options and the link for the explanation is also in that bottom section.
This is what I use on my server (which isn't this one).
Header set Content-Security-Policy "default-src 'self' mydomain.net *.mydomain.net; img-src 'self' data:; style-src 'self' mydomain.net *.mydomain.net; frame-ancestors 'self'"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Expect-CT "max-age=30; report-uri=\"https://www.mydomain.net/ct/report\""
Header always set X-Frame-Options SAMEORIGIN
Header always set Strict-Transport-Security "max-age=63072000;"
I get an A+ grade at securityheaders.io.
