At Cross Site Request Forgery:
When the form on the malicious website is submitted, an HTTP request will be sent straight from you to the web applications, and because you're authenticated on web website, the transaction could be accepted.
The attacker is using your own authentication against you by forging requests and using you as the messenger to deliver that request.
For preventing it, the programmer uses an anti-forgery token, this token is a string containing a random value, the token is placed in your cookies, in addition to your HTML forms.
When the web application receives a request, it validates that the form contains an anti-forgery token and that it matches the one stored in your cookies. A malicious site cannot see the tokens your website sets on a client, and without this information, the XSRF attack stop in their tracks.
So my question:
Is it possible Malicious website sends a get request by JavaScript and by tracing the response accesses to the Anti Forgery Token from the hidden input before sending the forgery post request? And if yes, how to prevent it?
It's not possible on modern browsers, unless you explicitly allow it from the server.
What you are talking about is CORS so if you are on evil.com and the page tries to fetch your-page.io via JS XmlHttpRequest or the new Fetch API, in order to read the XSRF token, then a modern browser will first send an OPTION request with the origin. The server than can response with Access-Control-Allow-Origin if that request is allowed from evil.com in which case you can really steal the XSRF token. But if the server wouldn't respond with Access-Control-Allow-Origin the browser would prevent the JavaScript on evil.com from getting the result and you can't steal the token.