Make sure that you are using the same domain for all requests.
- serve your content from www.example.com (replace with your domain name here); and
- run the proxy on vault.example.com which then has an upstream of api-internal.example.com
this way you can set the cookie domain value to example.com and the browser will send it to the proxy and the website that serves the unprotected content without having to disable cookies or CSRF. Another option may be using CSRF protection mechanism that doesn't require cookies (i.e. via sessions).