Is this what you're saying about the inline flow? I have tested it for the CSRF token expiry and it's displaying the message correctly.
dmx-on:forbidden="run({condition:{outputType:'boolean',if:`lastError.response.contains(\'CSRF\', false)`,then:{steps:[{run:{outputType:'text',action:`scf_user_login_auth_sms.alert1.show()`}},{run:{outputType:'text',action:`scf_user_login_auth_sms.alert1.setType(\'danger\')`}},{run:{outputType:'text',action:`scf_user_login_auth_sms.alert1.setTextContent(\'The CSRF token has expired. Please refresh the browser.\')`}}]},else:{steps:[{run:{outputType:'text',action:`scf_user_login_auth_sms.alert1.show()`}},{run:{outputType:'text',action:`scf_user_login_auth_sms.alert1.setType(\'danger\')`}},{run:{outputType:'text',action:`scf_user_login_auth_sms.alert1.setTextContent(lastError.response)`}}]}}})"