I think they could replace XSRF tokens, but until all major browsers support the headers (Safari 11 seems to be missing support, see other comments) you can't really block requests that don't have the new Sec-Fetch-* headers.

One other notable candidate for essentially "solving" XSRF is SameSite cookies:

https://web.dev/samesite-cookies-explained/

SameSite cookies are supported in Safari and IE11, so they're potentially a better candidate, but there are still come caveats (see here for some of them: https://security.stackexchange.com/questions/234386/do-i-sti...).

Yes, that's the idea.