That's not what CSRF protects against and neither is it meant to. CSRF happens when you try to submit a form hosted on your site to a target site that the user has already authenticated to.
Here, the real form can be accessed from the attacker's browser, not the victim's, hence the attacker knows the CSRF tokens. CSRF doesn't protect against phishing.
Here, the real form can be accessed from the attacker's browser, not the victim's, hence the attacker knows the CSRF tokens. CSRF doesn't protect against phishing.