Previously, we would only include the csrf double submit value in a
jwt if `JWT_COOKIE_CSRF_PROTECT` was true (the default) AND
`JWT_TOKEN_LOCATION` was configured to use cookies.

However, since we allow overwriting `locations` on a per-route basis
instead of only globally for he whole application, we could create a
situation where a single route was configured to use cookies when the
rest of the app was not, and csrf checks were not happening against
that endpoint.

This change makes it so that any jwts will be encoded with a csrf value
when `JWT_COOKIE_CSRF_PROTECT` is true, regardless of if the app is
globally configured to use cookies. It will also verify the csrf double
submit token on any route that uses cookies when `JWT_COOKIE_CSRF_PROTECT`
is true, regardless of if that is set globally in the application or on an
individual route.

As a result of this change, you might notice that using jwts without
cookies now include a csrf value. This will not change the behavior
of non-jwt based endpoints at all, your jwts will just be a little
bigger. You can remove that key from the jwt by explicitly setting
`JWT_COOKIE_CSRF_PROTECT` to False, if you are not using cookies.