Let's say we have a site that uses CSRF tokens in a form.
Now we have a browser/chrome extension (css, js, html), that uses the CSRF that is hidden in an input to do a post request and change the state of our application.
How can one protect against such an attack? Or am I missing something?
The difference between random javascript running on other websites and extension scripts is that the former is untrusted while the latter is trusted.
Extensions act on the behalf of users, users have access to this information (they could just inspect the DOM), so does the extension.
CSRF tokens are only meant to defend against requests from untrusted sources.