I think you misunderstand what CSRF protection does. It doesn't have anything to do with same-origin security, but rather preventing request forgery attacks in general. If a CSRF token was present on requests and was tied to a user's session (as is standard), then that would absolutely defend against this attack.

Wonder if you could get around that by submitting a javascript: link.

As far as I can tell, only http(s) links are accepted by the submission form.