There is no such protection, it does not exist.
csrf has nothing to do with it, no script is trying to be executed.
F12 is available to everyone, the user has received a copy of the document (HTML, CSS, JS), and can do whatever they want with it.
In the same way, he can look at the HTTP request, and send anything there without using a browser.
On Habré, a long time ago they described a project that protects against this. Like, a person went from his browser to another browser where there is no F12, and the site opens there already. You can google this article.
The client code is executed and stored on the client, the client can do whatever he wants with it. Look at Postman, Fiddler2, Burp. This software is specifically for watching and changing the response-request. Looked at the comments on other answers.
The server must check each request for validity, no matter what. Any request is considered invalid unless proven otherwise.
- The server should not accept the value of the goods received from the client as valid. The client received a copy of the price, its value at the time of the request. This is just information for the client, not for the server. Only the server knows the current value, the client can request its value at a certain point in time, and that's it.
But what to do if the client managed to complete the order at the old price, and there is already a new one on the server, this is the task of analysis (for analysts).
You just need to study the code of any online store, as implemented there. Look for a book where such an application is understood.

With proper skill, a "hacker" can perform an operation that is not allowed for him.

json -> string + hash -> encryption -> browser (sumbit) -> server -> decryption -> verification.

Only transferring 'dangerous' activities to the server will save you.
The correct approach to web development is that only the interface and everything connected with it is executed in javascript, and all logic should be on the server.