Hi John,
Even though I'm two years late, in case someone runs into this problem I managed to solve it by:
Whitelisting the 'x-csrfmiddlewaretoken' header (i.e. gets properly forwarded to origin) in the distribution settings.
Whitelisting the 'csrftoken' cookie in the distribution behaviour.
Best,
Joao