diff --git a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
index d6ba3a8..f75d5c2 100644
--- a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
+++ b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
@@ -51,7 +51,7 @@ public function appliesTo() {
   public function access(Route $route, Request $request, AccountInterface $account) {
     // If this is the controller request, check CSRF access as normal.
     if ($request->attributes->get('_controller_request')) {
-      return $this->csrfToken->validate($request->query->get('token'), $route->getRequirement('_csrf_token')) ? static::ALLOW : static::KILL;
+      return $this->csrfToken->validate($request->query->get('token'), $request->getPathInfo()) ? static::ALLOW : static::KILL;
     }
 
     // Otherwise, this could be another requested access check that we don't
diff --git a/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php b/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php
index 0fb075c..f9c12d8 100644
--- a/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php
+++ b/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php
@@ -39,9 +39,14 @@ function __construct(CsrfTokenGenerator $csrf_token) {
    */
   public function processOutbound(Route $route, array &$parameters) {
     if ($route->hasRequirement('_csrf_token')) {
+      $path = $route->getPath();
+      // Replace the path parameters with values from the parameters array.
+      foreach ($parameters as $param => $value) {
+        $path = str_replace("{{$param}}", $value, $path);
+      }
       // Adding this to the parameters means it will get merged into the query
       // string when the route is compiled.
-      $parameters['token'] = $this->csrfToken->get($route->getRequirement('_csrf_token'));
+      $parameters['token'] = $this->csrfToken->get($path);
     }
   }