What would be the security loophole if a logoff request is not validated with XSRF/CSRF token?
Don't think of Anti-CSRF tokens as a mechanism implemented on individual endpoints/requests. Ideally, such a mechanism is baked in as a critical part of the framework you're developing in.
An Anti-CSRF may seem redundant on a logout link, which is not what worries me here. What worries me is designing a system which allows, or rather, does not enforce Anti-CSRF mechanisms.
In this context, the CSRF may seem benign. What happens however, when the logout link is vulnerable to say, XSS? Suddenly the Anti-CSRF token is no longer there to protect you.
Always practice Defence in Depth, in that your security should be wrapped in layers, Anti-CSRF being one of them.