I believe after reading a few other questions that my understanding of Anti Forgery Tokens is incorrect.
I have a few controller post actions that take the same model but perform different actions based on certain logic.
By editing the form's action in Chrome's developer tools, I was able to do something unexpected in my code.
I am guessing I need to use the ActionName("action") data annotation for what I need to do now, however, I am still curious as to what protection the token gives? Is it purely to stop external sites posting to forms but no actual protection within an app?
Antiforgery tokens are to prevent CSRF (cross-site request forgery) attacks. That is all. Imagine a scenario where a malicious actor sets up a Facebook login page clone. It looks just like the Facebook login page, and through some means, they manage to funnel users there (phishing emails, etc.). The user puts in their username and password and hits submit. The form action is set to go to the actual Facebook login page, so as far as the user is ever concerned, they logged in and are now at Facebook as they expected. However, the malicious actor was able to access their credentials when they typed them in, and can now go forth to steal their Facebook account.
The antiforgery token prevents this by putting a token on page that must match with the token generated server-side, after posting. A third-party has no way to generate a token that will match on their own, so now any attempt to carry out something like the above will instantly fail. That is it, in a nutshell.