What's a bad control character?

In a Jason Haddix video, "How To Shot Web", he explains that it is possible to bypass the CSRF protection by adding incorrect control characters to the value of the CSRF parameter. what does he mean?
This video: https://youtu.be/-FAjxUOKbdI?t=2240