The "session-cookie plus CSRF-token" thing for API as currently implemented might be overhauled (either replaced or improved) by usage of WSSE:

• WSSE is a standard
• implementing a WSSE authenticator (sf side) is straightforward: it is the default example given in the cookbook!
• the client-side should be simple enough. Ex: http://stackoverflow.com/questions/15779170/how-to-properly-generate-a-wsse-password-digest-in-php, https://github.com/vrruiz/wsse-js
• it is implemented by omniture, typepad, movabletype, fosrestbundle

I am not 100% sure that the 2 technologies cover the exact same aspects.
Probably for best ever protection, they should be combined.

• CSRF is avoided by using the token
• replay attacks are avoided by making clients use a nonce
  Some background info: http://stackoverflow.com/questions/5691492/csrf-tokens-vs-nonce-confusion-are-they-the-same

Maybe we could implement WSSE with the following improvement: the "secret" to be used for hashing nonces is the CSRF token.

And voilà, 5 stars in API security