If this is isolated to one user it's happening to that's usually because the user is trying the flow across browsers or devices instead of completing the whole flow inside 1 browser.
For example, they might be requesting the Change Password on their phone but then open up their email on a desktop and click the link. Thus the desktop browser would be missing the CSRF token from the beginning of the flow.
This can also happen if they request it on Chrome, but click the link in the email in Firefox (or even Incognito/Private browser vs normal).
If it is more widespread (across many users) then it is probably something else, like a theme issue.