I can address part of this:
Because that’s how the request is validated. The cookie needs to appropriately match the token for the request to be considered valid. The basic intent is that JavaScript from a different host wouldn’t have access to the cookie to build a valid token.
See Cross Site Request Forgery protection | Django documentation | Django for all the gory details.
Regarding Safari, I think the first thing I’d check is that there aren’t any settings set to block cookies or otherwise prevent the cookie from being written or sent.
(I don’t do a lot with Safari, but I just checked one of my sites using Safari on an ipad and have no problems with it at all.)