Yep.

SameSite

cookies don't offer full protection and personally I don't think it's much of a hassle to include CSRF tokens as Django makes it pretty simple