SignIn mutation always returns ["invalid"] unless CSRF cookies and headers are set

[antonio-war]

When calling the SignIn mutation exactly as described in the official Sorare API documentation, the request consistently fails and returns: "errors": ["invalid"] after investigating, it turns out that for the SignIn mutation to work correctly, the following must already be present:

• Cookies: _sorare_session_id, csrftoken
• Header: X-CSRF-Token

However, this creates a chicken-and-egg problem:
SignIn is typically the very first mutation in an application flow when you use APIs, so these cookies and headers are not yet available at that point.

The SignIn mutation should work without requiring CSRF cookies and headers (since it is the entry point of the auth flow), or there should be a documented and supported way to obtain these values before executing mutations.