The CSRF_TOKEN is stored in 'data.csrf_token', not 'csrf_token'. I replaced
angular.module("app").constant("CSRF_TOKEN", response.csrf_token);
with
angular.module("app").constant("CSRF_TOKEN", response.data.csrf_token);
in the bootstrap.js file. Now it works.