I have an issue currently that the validate method of the actionform happens before the execute method of the action.
The reason this is an issue is that a user can submit their own request and should they have all required fields completed the validate passes and using the isTokenValid(request) method I can see that the request is invalid. and forward them to an "access denied" page. However if they do not complete all required fields in their forged request the validate method returns errors and they are forwarded to the actual page(.jsp) with error messages displayed.
Any idea how to prevent this?
To implement CSRF prevention in Struts1 using using tokens you should not allow direct access to your JSP pages.
A user should get to your forms through Struts Actions and the action will call saveToken(request) before they are forwarded to the form in the JSP page.
Where you usually forward directly to a JSP you can change to forward to an action that inherits from ActionForward. Within the execute it can then forward by calling parent ActionForward execute method. You could also implement additional logic restrictions in your new action class.
This answer to Struts CSRF question on separate thread may also be useful: https://stackoverflow.com/a/5339391/6136697