CSRF protection in subdomains

On the website, customers automatically receive a subdomain when registering.

I read up on CSRF and CSRF in subdomains can apparently be solved using CSRF_COOKIE_DOMAIN.

Nevertheless, the following lines in the official Django documentation give me a headache:

Subdomains within a site will be able to set cookies on the client for the whole domain. By setting the cookie and using a corresponding token, subdomains will be able to circumvent the CSRF protection. The only way to avoid this is to ensure that subdomains are controlled by trusted users (or, are at least unable to set cookies). Note that even without CSRF, there are other vulnerabilities, such as session fixation, that make giving subdomains to untrusted parties a bad idea, and these vulnerabilities cannot easily be fixed with current browsers.

Source: Cross Site Request Forgery protection | Django documentation | Django

How can I increase protection in subdomains?

It as much depends upon how much control you have over that subdomain as anything else.

If all traffic to/from that domain is going through your Django stack, and no one else has the ability to handle requests for that subdomain, you could probably greatly improve the situation by adding some middleware to filter the cookies being sent/received.
(That’s in part what’s implied by “(or, are at least unable to set cookies)”.)