The token is rather unique. You can see source code.
But token don't need absolutely uniqueness, because token lifetime is limited to two requests - generation in form and check, when form submit to application (server).
P.S. If application use AJAX POST form submit, then it is possible to use other methods of protection without token. See http://www.w3.org/TR/cors/