Although CSRF errors do display a 403 error, they usually include the cryptic message: 'The action you have requested is not allowed.' (this can be seen in the csrf_show_error() method of the Security class).
However, if I were to assume that you just didn't show that part of the message for some reason, the next question is whether the JavaScript you included was in a .js file or included directly in a script element in a .php file (a view)? Servers are often configured not to execute PHP within files other than those ending with the .php extension. In most cases, you're better served putting the necessary CSRF token/hash elsewhere in the view (in a pair of data-* attributes or hidden inputs) and retrieving them as needed in the JavaScript.
Does this happen on the first run of the script, or only on subsequent posts? With csrf_regenerate enabled, the token will change on each post, so you have to send the new CSRF token with the response in your PHP and receive it in your JavaScript, storing it for the next post.
