It seems like just an arbitrary repetition, but I assume it must have some meaning. Else why not just call them 'XSS-Protection' and 'XSRF-TOKEN', respectively? If I knew the answer, the question of whether there is some rule-of-thumb regarding the naming convention would presumably answer itself too...
It traditionally meant it was non-standard, sometimes stated as short for eXperimental or eXtension.
The problem is if the header was successful and deserved standardisation then it was usually so ingrained in the X- format it was almost impossible to change. Some of the use cases you note for example are very much standard (even if not formally) and almost certainly won’t change now to drop the X-.
RFC 6658 formally deprecated the X- naming convention even for new or experimental headers and gives some of the details mentioned above.