fix: always redact CSRF tokens in log extractor, remove sync.Once config capture footgun

The previous implementation captured DisableValueRedaction from the first New()
call via sync.Once closure, which would silently apply that redaction setting to
all subsequent csrf middleware instances in the same process. If the first call
used DisableValueRedaction=true, full CSRF tokens would leak into logs for every
instance created afterward.

CSRF tokens are bearer secrets and must always be redacted in log output
regardless of DisableValueRedaction. That option controls other masking
behavior (error responses, debug output) but not log output.

Co-authored-by: gaby <835733+gaby@users.noreply.github.com>