After https://github.com/symfony/symfony/releases/tag/v3.3.13 the token in the session is name spaces with https when https in use.

The layout needs to be aware of this now this will not work.

<meta name="CSRF-Token" content="{{ app.session.get('_csrf/authenticate') }}" />

And in the case of https is should be

<meta name="CSRF-Token" content="{{ app.session.get('_csrf/https-authenticate') }}" />