As for the missing SameSite attribute value / as for the yellow background text:
Most likely upstream issue.
⚓ T325663 Audit use of cookies #2
In short: MediaWiki I guess uses different code paths for creating cookies. That’s why some cookies are missing that setting.
I don’t think this warning causing the invalid CSRF token issue.
might be caused by this:
Does this sounds like the issue…?