authentication – Not convinced of the security of a JWT + CSRF token

CSRF will need to be defined in the request header.

The anti-CSRF token will be submitted in the body of the request message.
If there is an XSS vulnerability and an attacker manages to exploit it, the last element that will probably preoccupy it is the anti-CSRF token. XSS is a much more powerful attack, and an attacker can handle almost anything with XSS.

In addition, the anti-CSRF token is stored in a masked form field in the html code.

There exists for each request to be linked to a specific user session.
There is literally to make CSRF impossible, even if the token leaks somehow. An attacker could manipulate only the current active session of this user from whom he stole the anti-CSRF token.

But what if an attacker gets your CSRF token with XSS and sets it as the header for requests sent by a malicious website with a CSRF exploit? Is this attack possible?

The JWT would still be protected.
I suggest you read about how CSRF works: