CSRF abuses the browser automatically attaching credentials, causing an unwanted authenticated action. It does not read the cookie (SOP/HttpOnly prevent that — that would be theft), it does not inject script (that is XSS), and it does not sit in the network path (that is MITM).
Official docs