CSRF protection in 5.0 is not integrated with legacy, meaning forms across both kernels is impossible.

However a look into how Symfony deal with this reveals that the fix is simple:

• Inject the csrf framework.secret from symfony to legacy
• Change ezformtoken to use this secret and generate token in the following way:
  • sha1( $this->secret . $intention . $this->session->getId() );
  • $intention can be set to "legacy"
  • there is no need to save it in the session anymore
• (optional) Also inject Symfony yml param framework.csrf_protection.field_name and change ezformtoken to accept this form field name as well.