Yes, the CSRF error would suggest a bad API key. The other issue you may be running into is that we added some protection for user custom fields back in September 2018. If you want to be able to edit them from the API, you now need to add something like
register_editable_user_custom_field :my_preference
in your plugin. You can find more details on that here: Add a custom per-user setting in a plugin