CSRF check failing

On NC18, when I try to start a video conference, it

a) doesn’t work in Chrome
b) sort of works in Edge, but I never get audio or video

When I look in the Console, is see this:

HTTP404: NOT FOUND - The server has not found anything matching the requested URI (Uniform Resource Identifier).
(XHR)GET - https://nextcloud.mydomain.com/ocs/v2.php/apps/spreed/api/v1/signaling/ode8o2t9
Stop pulling messages after repeated failures

[…]

CSP14309: Unknown directive ‘manifest-src’ in Content-Security-Policy - directive will be ignored.
Joining call

[…]

HTTP404: NOT FOUND - The server has not found anything matching the requested URI (Uniform Resource Identifier). (XHR)DELETE - https://nextcloud.mydomain.com/ocs/v2.php/apps/spreed/api/v1/call/ode8o2t9
Unhandled promise rejection Error

If I go to the URI in my browser, I see this:

Access forbidden
CSRF check failed

I imagine it’s a security configuration on my Apache server, but I’m not sure which one it is. Or maybe not, I don’t know.

Any ideas what could be causing this?