I understood the purpose of the CSRF Token protection.
However, I think this protection is useless and we should remove it in the case of a REST API requiring an authentication token in the header for each action.
This way, even if Mallory forges a malicious HTML link to Alice, the attack can not be done. The reason is that:
Alice keeps her authentication information in a header key that Mallory don't know. And unlike a cookie, Alice's browser doesn't submit this authentication token automatically.
So in this context, I would like to have you point of view about the question: can we remove a CSRF token protection from this kind of API design?
Yes, you don't need CSRF protection when using a bearer scheme authentication as the browser does not automatically add the Authorization header to the request.
You do need CSRF protection for cookies, basic, Windows, digest and client certificates authentication schemes as these are automatically added by the browser.
See also Dominick Baier's article on implicit vs explicit authentication: http://leastprivilege.com/2015/04/01/implicit-vs-explicit-authentication-in-browser-based-applications/