ASP.NET

How does AntiForgeryToken protect against csrf?

At first I found a simple description in one article.
When loading a page containing a form with a token, the server also sets a cookie containing this token to the client.
When a post request is made to a form, the client sends a token in the body of the request and specifies this cookie with the token. And they say, the server compares the received cookie and the token from the form when receiving a post request, and it protects us that the cookie belongs to the domain and it is not available from other domains.
That's what it said in that article.
Only here, what prevents you from creating an xmlhttprequest, creating a random token, registering it as a cookie for xhr, and putting it in the body, of course.
The server does not store what tokens it created there, it only compares the token from the cookie and from the request body, which means that you can use any random one?
In fact, of course, I already checked that the token and cookie are encrypted differently there, but you can parse the algorithm how they are encrypted in order to generate a pair of token and cookie such that the server will fail them.
UPD: " what prevents you from creating an xmlhttprequest, creating a random token, registering it as a cookie for xhr , and putting it in the body, of course."
It interferes with the fact that the browser will not allow you to set cookies via setRequestHeader () for a cross-domain request.