The token in the page has to match the token stored in a cookie (or session).
The site that set the cookie knows what that token value is and can specify it in the form.
A third party attacker's site cannot know what that token value is, so can't specify it.
You test to see if the token in the cookie matches the one in the form data, if they don't you reject the request as CSRF.