Unauthenticated 401 error with ajax request to web route on android / chromeOS

I have a web (not API) route that i'm POSTing to via AJAX. It's working fine on desktop, but sometimes gets a 401 Unauthenticated error, almost exclusively on Android/ChromeOS and sometimes Mobile Safari.

I'm using this:

$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': '{{ csrf_token() }}',
        'X-Requested-With': 'XMLHttpRequest'
    }
});

$.ajax({
    type: "POST",
    url: '/students/books/{{$book->isbn}}/read',
    data: { _token: '{{ csrf_token() }}' },
    success: function(data)
    {
        console.log('marked as read in db');
    },
    error: function(data)
    {           
        // send to bugsnag
    }
});

I have a custom guard on the user, but I don't think that should make any difference.

User session is not timed out as far as I can tell.

Students are reading a digital book and probably take while to do so before this AJAX post is fired. Do I need to refresh the csrf token or something?

Again, it's working fine on desktop. Something different to account for on android/iOS?