I think they could replace XSRF tokens, but until all major browsers support the headers (Safari 11 seems to be missing support, see other comments) you can't really block requests that don't have the new Sec-Fetch-* headers.