If you create the form manually (i.e. without using the yii form methods), you should add an input field like this:
<input type="hidden" name="_csrf" value="<?=Yii::$app->request->getCsrfToken()?>" />
source: http://zero-exception.blogspot.com/2015/01/yii2-using-csrf-token.html