Suppose an HTTP-server reads virtually no data from cookies at all. All data comes from different parts of request: headers, body, url, etc. Does this fact guarantee there can be no CSRF-attacks?
CSRF does not need cookies specifically. It needs authentication that is sent by a browser automatically. Other such forms of authentication include http basic auth and client certificates for example.
If a specific http header is used for authorization (eg. a bearer token), that effectively prevents CSRF.