There are some discussing like this on SO claiming that csrf protection is not required for anonymous forms. Looking at the stackoverflow html code, when not logged in, you can see the csrf token being set for he answer box when posting as an anonymous user.
On
It depends on the acceptable risk level of your site.
How does this csrf token help protecting an anonymous user?
The risk is that the anonymous comment will be credited as coming from that particular anonymous user. That is, all the metadata will point to them (IP address, browser, OS, cookies, etc), rather than to the malicious user and site. The only evidence that it was from a CSRF attack would be headers such as Origin and referer.
csrf token should be associated with a user session id. What's the equivalent used for an anonymous user? The ip address?
You can protect your pages in much the same way as you can protect against login CSRF. This is effectively a Double Submit Cookies approach.
So the process is:
Set-Cookie: header for a cryptographically secure random token, and the form itself contains a hidden field with the same token.This will prevent a malicious site from submitting the cross domain form and "crediting" it to the browser user because although the malicious site can cause the browser to send the cookie in the token, they can't discover the token value to include in the payload itself (i.e. the hidden field when submitted legitimately).
The rule of thumb is that any state changing operation needs to be protected from CSRF attacks. So if your form is a state changing operation, it should be protected. For example, this answer describes why you need to use CSRF protection on a login form (remember that the user is anonymous when logging in). I've seen anonymous polling forms that you would also want to protect. In the case of the polling forms, the CSRF token is protecting the site's integrity (whatever integrity an anonymous polling site has).
On the other hand, some forms don't need CSRF protection. Obviously forms that are processed in JavaScript and never go to the server don't need CSRF protection. The same is true for forms that perform basic utilities such as language translation forms.
Most web frameworks have stateful sessions for anonymous users. For example, PHP uses the $_SESSION variable. They typically set a cookie in the user's browser to the session ID. You would use the stateful session to store the server-side copy of the CSRF token.