9 – Different behavior of URL response and service response

I am trying to pass csrf_token or session token without an additional request.
I am able to get token using /session/token endpoint.

I am observing a different behavior here.
The response of routing service endpoint /session/token and Drupal::service('csrf_token')->get() are different in Drupal 9.

Why the above mentioned methods give different values. The CsrfTokenController::csrfToken class method is hit by /session/token route.

How can I get /session/token in module?


Which other service can give /session/token equal response making CSRF-TOKEN validation successful?