Hi @AndyC,
Well, it depends on the level of security you want to accomplish.
The most simple thing you can do is to inject a custom header: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers
Using a custom header, however, is if at all only “secure” if your app is not vulnerable to XSS.
The next best thing you can do is to go with a “Double Submit Cookie”: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie
stormpath has a nice article about it, too: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage.
And, if this is an option, don’t store the JWT in a cookie at all, then XSRF is not an issue.
Hope this helps.