For reference, we recently enabled CSRF/Crumbs in a server and it stopped accepting published jobs from other, internal servers. Searching existing forks, I just saw the next one, that applied to current master, seems to be doing the work and our private servers can continue publishing like a charm:
I only have needed to install the custom build-publisher.hpi in the sender, no change required in the receiver.
Disclaimer, I'm a complete naab and haven't looked much if the patch is 100% correct or no... it just looked "legit enough" for me to give it a try. Credit goes to AJ Banck, I just picked the patch from there and rebuild the plugin.
It really would be great to get the solution incorporated upstream if it's considered correct. Without it... the plugin loses much... because of the security compromise.