Yes, you’re right about that (you’re XSS-ed and prevention was too trivial), but that’s not the point of this topic… point is CSRF token validation. Just imagine they have your CSRF token and they can avoid your CSRF protection.
The problem with regenerating the token on each request is this scenario:
I open www.example.com and start writing a long, long blog post.
In the middle of writing the post, I notice there are some comments on another post pending approval, I right click the link and open it in a new tab.
I approve some comments and close that tab
I continue writing my blog post, 10000 words later I click "Publish"
Since my CSRF token has expired, I get an exception when I post and I lose all my work.
This also applies to storing the CSRF token in the session. At least if a session expires while the user is filling out a form the CSRF token won’t expire, and we can store their submission and post it after they log back in. If the CSRF token is in the session, we won’t be able to trust that that input really came from the user.
The fact is, if a malicious website can read your cookies, you’re already screwed and CSRF protection is only going to slow them down, not stop them.