We are building 3 different applications MVC application, API, SPA (not Angular) with ASP.NET Core. All the actions in this application are only for authorized users. That's why we protect them with IdentityServer.
We use a cookie to store the value of the bearer token. I understand that the value of the cookie gets sent automatically to the server. But because it should be added as an authorization header this is not done by the browser automatically.
Does this mitigate the possibility of a CSRF attack? Or is CSRF still possible with bearer tokens and do we need to add CSRF tokens anyway?
Yes, you still need CSRF tokens.
If your SPA or MVC application will send requests to your API based on a GET or POST action by the user, you still need CSRF tokens.
Say someone tricks your users to click a link that triggers an action in your SPA, or that posts to your MVC application, the application will happily comply and send the bearer token stored in the cookie as a request header, just as when the user has clicked a link in the application itself.
That's the whole point of CSRF, an attacker crafts a request just as if the user has invoked an action in your web application.