Having thought a bit about it, one solution could be to pre-generate a bunch of random strings that are put in a separate file in the page bundle, but I can’t think of a way to make Hugo choose a different line from the file on each page load. Also, I’m not sure if it would be possible to hide the content of this file from regular visitors without making it inaccessible to Hugo as well.
This pre-generated list could be renewed every time I build the site, to ensure a fresh supply of random strings.
It would probably not be as secure as a real CSRF-solution, but at least it’s something.
EDIT: And if it simply is not possible to achieve this with Hugo only, it would be nice to find a way for Hugo to output .php-files 
EDIT2: I created a separate topic regarding my attempts to include PHP on the contact page.