My web-application has a public-facing part. But all the functionality, including anything that could cause malicious activity, is behind a login wall.
Therefore, it begs the question whether CSRF tokens are necessary or even worth implementing?
This is exactly the situation where CSRF tokens are necessary.
One of your authorized users goes to “not your site”. That site loads some hostile JavaScript in the user’s browser. That JavaScript issues requests to “your site” to perform malicious activity. Without CSRF protection, your site is potentially vulnerable to requests made by that hostile JavaScript.