Thanks to Greg I was able to find what the problem was. As he stated, if you send too much data it can be truncated.
To diagnose the problem I actually displayed the data received by the SecurityComponent. You can access it in
vendor\cakephp\cakephp\src\Controller\Component\SecurityComponent.php. In this file there is a function
_validToken(Controller $controller). Displaying the content of the
$check variable might help (I used the
pr() function for this).
I noticed that some data I sent was actually missing. And obviously, as stated by CakePHP, the _Token was also missing.
The only thing I had to do was increase max_input_vars in my php.ini