For what it’s worth, I’ve… actively considered doing this to add support in altbee for this and a few other similar things. I haven’t, yet, though altbee does do a simplified version of this (just the cookie, no need for a CSRF token) for getting the tags associated with each goal (briefly described here.)
Yeah, it’s hardly ideal—but it works, and if there are other feature in the future which I want to add to altbee that also need to work this way, well, I’ll probably go for it, CSRF token and all (though I can’t quite say I don’t have a few misgivings about it…)