In your form_for's, you need to pass a non-host specific token if you intend for forms on subdomains to post to a root domain or vice versa. By default, Phoenix HTML’s form_for will generate a token specific to the host of the form action, if it exists, which sounds like the cause of your issues, but it’s not clear how you are handling subdomains and form action urls. Try doing:
<%= form_for ..., ..., csrf_token: Plug.CSRFProtection.get_csrf_token(), fn f -> ...
