CSRF issue in django

Question

settings.py

INSTALLED_APPS = [
    ...
    'corsheaders',
]


MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.common.CommonMiddleware',
    ...
]


ALLOWED_HOSTS = ['*']
CORS_ORIGIN_ALLOW_ALL = True

ajax request

            $.ajax({
                type: "POST",
                url: `https://example.com/requestlink/`,
                crossDomain: true,
                data: {
                    link: link,
                    csrfmiddlewaretoken: csrf,
                },

                success: function (data) {
                    if (data) {
                        data.forEach(src => {
                            createresult(src);
                        })
                    }
                    icon.classList.replace('loading', 'search');
                },
                error: function (data) {
                    icon.classList.replace('loading', 'search');
                }
            })

Now when i do ajax post request, I got this in console tab

Status 403 Forbidden
Version HTTP/1.1
Transferred 1.53 KB (2.50 KB size)
Referrer Policy no-referrer-when-downgrade

and this in backend

Forbidden (Referer checking failed - https:// anotherexample.com / does not match any trusted origins.): /requestlink/

Why so?