Is cookie_httponly set to false? If security is your primary concern this should be set to true which will break the code you posted. Instead of reading the cookie from JS, return the new token with every AJAX call and store it in a variable for subsequent requests.
csrf_regenerate set to true will also cause 403 issues if you make concurrent AJAX calls.