You only need the token for post, put, patch and delete. So I don't see what the issue is here... You still need the cookie to be created here right? Let's say you do a get request to grab a form to create a user. You need that cookie so you can post a _token.
You say you don't need the cookie here, but the next request might need the cookie. So you create the cookie for the next request. Therefore you can check if the token is correct or not.
I couldn't think of a quick example here, but I hope you get the idea. Let me know if you need a better explanation ;)