On Django 1.9.9, if any value of the cookie contains a space, then the Django 1.9 would not parse any of the cookies and hence, csrftoken validation would fail as well. We are thinking of fixing the cookie parsing logic on Django request.
We upgraded to Django 1.9.10 from 1.9.9 and it looks like they have fixed this issue.
The cookie parsing logic if fixed here: https://docs.djangoproject.com/en/3.1/releases/1.9.10/.