If browsers could fix CSRF for JSON they could probably fix it in general. My impression is that browsers have done what they can. Sites without CSRF protection should do a better job.
It's been plagued initially be slow adoption and later by inconsistent support like the example in this article and others[1], but as a general spec. it should fix CSRF if implemented consistently and correctly by browser vendors.
SameSite cookies handle pretty much all cases and are supported in all modern browsers. If your login (which is what usually issues the cookie) does a module/nomodule check SameSite is probably enough.
