Correct, the only place to retrieve the csrf token is from the /api/config endpoint.
Neither method is superior to the other. When we were building out the original api, we use cookie authentication as it was built in to the browser. With the advent of the write api, I added bearer token authentic to enable easier server-to-server communication.
The read API is meant to be used with cookie authentication, the right API is meant to be used with bearer authentication, although both support both types.