There is no (practical) way of knowing if your user will still use the token or not. Thus, you will have to automatically delete (and thus invalidate) them after x hours, for example by using a cronjob.
Just a suggestion: Are you sure that you really need one-time tokens? OWASP themselves say that it is not absolutely necessary for security: "In general, developers need only generate this token once for the current session. [...]) (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet).
Keep in mind that one-time tokens also make tabbed browsing or using the browser history a huge pain.