Would you mind to extend your reasoning / clarify the jenkins position in the original issue?
I think csrf token is not correctly implemented in jenkins. The goal is to prevent csrf attacks in session-based requests (that is, authenticate once with user/password, protected against subsequent csrf attacks by requiring token with each request.
API usage by token based authentication is a completely different thing, however - the authentication is done with each request by providing the api token. There is no way to attack this scheme by csrf anyways, as there is no session involved. Requiring the csrf token in this case does not provide additional security - it just requires the api user to do an additional request for the csrf token prior to making the api call.
Without knowledge of the api token, the api call is not vulnerable. With knowledge of the api token, the csrf token is no additional protection.
Where's the bug here? If you POST, you're expected to provide a token. /crumbIssuer/api/xml exists for that reason.