Yes, it can be added, but manually going over all form. Also, how would it protect against a CSRF without the token in place?

Note: I totally agree that we should strive to go HTML first. However, this specific example is a bit unfair.