CSRF expiring before form submitted

There are absolutely security concerns with this; otherwise, the session timeout would be useless in the first place.

That said, there may be good reasons to disable session timeouts, but in this case, you can and should do so explicitly, and with full regard of all consequences.

To add to the solution: while I think it's already questionable to have a single form on a single web page that takes that long to fill out without saving in the meantime, with the risk of loosing the whole work when anything goes wrong (big usability issue), I think what you do want to achieve is prolonging the session (and thus the validity of the csrf token) by doing an ajax request every so often when the user is still active. So you should monitor if any form fields where changed (for example, within the last 5 minutes), and only then start the ajax request.

You don't need to set an independent expiry time for the CSRF token, the token needs to be unique and valid for the current user session, when the user session will expire the csrf token expires along with the session, and then you must generate a new token. This could be a simple solution.