It's unclear to me how PKCE will fundamentally protect against CSRF attacks. If I'm logged in as an authorized user, and click a malicious link to "change the state" of my application, how will PKCE block that from happening? The access/refresh tokens are already granted, where does validation of the code_verifier/code_challenge come into play to block this?