An attacker can steal the session if there is an XSS on your app. But stealing key looks harder as it is never exposed to front-end.
There might be other vulnerabilities that might result in token hijacking like insecure communication. It is always possible for tokens to be stolen.
As an improvement, CSRF token can be generated again for each form. In this case, the list of generated valid CSRF tokens should be stored per user session. So that, at a given moment there might be more than one valid CSRF token for a user. This will allow users to work on multiple tabs.
You might want to read OWASP Session Management Recommendations. It is a bit long but very helpful.
I believe creating a new CSRF token for every page is a bit too much "security" compared to its benefit. In fact OWASP CSRF Prevention Cheat Sheet describes prevention using a single token per session.
Also it would be more secure to create token with one way hashing (like sha-512) instead of encrypting session ID.