Well, it was something foolish I changed that caused this. "Days to remember user login sessions" was set to 0. This seemed to work at first, but it actually prevents you from logging in.
After the CSRF error was cleared up, I wanted to see if this was definitely what broke it. Yet, setting it to 0 again appeared to have different behavior. It just brings you back to the homepage as a guest after you try to login instead of failing with any errors such as Forbidden (due to CSRF).
Actually, it seemed like the CSRF problem was not immediately resolved after increasing the days setting, but I didn't do much else, except to copy all data including accounts to the new installation so that I could log in as my usual user.
I actually copied the entire objects collection and ran ./nodebb setup to recreate the other collections. This allowed me to log into my usual account successfully on the new installation. Somehow, after this, logging in was working on the old installation without changing anything in the original database. This doesn't make sense though, so it must have just been that one setting causing all the problems.