Use REST To Request User Password Reset on Crowd?

I'm writing a script to create users, add them to a group and then send a password reset email from Crowd.

I'm using application credentials to handle this and I can create the user and add them to a group fine, but when I try and request the password reset using

curl -k -D- -u "applicationname:apppassword" -X POST https://mycrowdserver/crowd/rest/usermanagement/1/user/mail/password?username=usertoreset

I get

HTTP/1.1 403 Forbidden

and

XSRF check failed

The documentation suggests "the application is not allowed to update the user's password" but I can't see how I would enable it anywhere in Crowd if it is even disabled.

I can't find a solution to this after a lot of searching, can anyone help please?