It’s now possible to disable the protection via the rails console by running
SiteSetting.discourse_connect_csrf_protection=false
You should only do this if you understand and accept the risks it introduces. For anyone hosted by discourse.org, please get in touch and we can flip the setting for you.
(cc @rysher who had a similar request)