Quoting the OWASP Cheat Sheet on CSRF Prevention:
Using the Synchronizer Token Pattern:
CSRF tokens should be:
- Unique per user session.
- Secret
- Unpredictable (large random value generated by a secure method).
As far as I can tell App Check is all of these. As I understand it, their token generation uses a server secret (though it may involve some frontend computation as well), which is then verified by the API endpoint.