Understanding laravel sanctum security with SPAs

Hi all hope you're well!

I'm a bit new to BE but trying to understand Laravel sanctum's security for SPAs. Made some progress but wanted to clarify my understanding and check some points.

So there seems to be 3 main points. -Single origin policy (SOP) & same cookie = lax -Anti csrf tokens -Session tokens

So the same cookie policy been set to lax stops cookies been shared to other sites (like the anti csrf and session id token) which makes sense. And the SOP stops other sites making XHR requests or PUT, PATCH and DELTE requests (but not GET and POST).

The anti csrf token exists to ensure that you need the cookies to make POST requests (but not GET requests these are not blocked by the csrf middleware) and since cookies are not shared cross site (due to the same cookie lax) you have blocked on other sites. Also would block PUT, PATCH and DELTE but SOP handles this too. When the user first visits the site they are given a session token and anti csrf token which is also saved server side as a session. If the user logs in (sends valid username & password with a session id) the session is updated to include that user. Then any following requests can be assumed to be from that user and relevant permission granted.

I think my main confusion is what is the point of the anti csrf token? I don't understand why the session id couldn't just be used interchangeably; particularly since non-authenticated users also have access to session ids. I've seen articles that say it's helpful as the anti-csrf token can be refreshed each request to prevent man in the middle attacks but best I can tell laravel keeps anti csrf tokens the same per session. Is this here solely to allow for the option to be per request?

Thanks for any help!