There are some discussing like this on SO claiming that csrf protection is not required for anonymous forms. Looking at the stackoverflow html code, when not logged in, you can see the csrf token being set for he answer box when posting as an anonymous user.
- How does this csrf token help protecting an anonymous user?
- csrf token should be associated with a user session id. What's the equivalent used for an anonymous user? The ip address?
The rule of thumb is that any state changing operation needs to be protected from CSRF attacks. So if your form is a state changing operation, it should be protected. For example, this answer describes why you need to use CSRF protection on a login form (remember that the user is anonymous when logging in). I've seen anonymous polling forms that you would also want to protect. In the case of the polling forms, the CSRF token is protecting the site's integrity (whatever integrity an anonymous polling site has).
On the other hand, some forms don't need CSRF protection. Obviously forms that are processed in JavaScript and never go to the server don't need CSRF protection. The same is true for forms that perform basic utilities such as language translation forms.
Most web frameworks have stateful sessions for anonymous users. For example, PHP uses the $_SESSION variable. They typically set a cookie in the user's browser to the session ID. You would use the stateful session to store the server-side copy of the CSRF token.