The CSRF-protection protects you against Cross-site request forgery.
It doesn’t matter if it’s GET or POST, an attacker might trick one of your users into submitting a form that directs to your site, for example by using javascript on the evil site. So I’d say, if you can: enable it.
The idea behind a CSRF-token is that an attacker cannot read the token you generate for a visitor due to Javascript’s same origin policy so the attacker cannot send a fake request using the victim’s browser.
It’s not possible to create a new token on every request. Generating a new one on every request would mean the framework would have to keep track of all generated tokens to verify if a request was valid and not from an attacker (think how this could go wrong when using tabs on the same site).
It’s also not necessary to generate a new one on every request, as long as the one that is generated can not be stolen by a 3rd party (and it can’t), it’s safe for verifying requests.