TLDR;
When using standalone forms change
$form->addProtection('Expired');
to
$form->addProtection('Expired')->getToken();

Error
The error is with the headers as seen below. This should be in the documentation! Solution found here: https://forum.nette.org/en/32032-using-csrf-protection-with-manual-rendering

Warning: ini_set(): Headers already sent. You cannot change the session module's ini settings at this time in ./vendor/nette/http/src/Http/Session.php on line 406

Warning: session_set_cookie_params(): Cannot change session cookie parameters when headers already sent in ./vendor/nette/http/src/Http/Session.php on line 416

Warning: session_id(): Cannot change session id when headers already sent in ./vendor/nette/http/src/Http/Session.php on line 81

Fatal error: Uncaught Nette\InvalidStateException: Cannot start session when headers already sent in ./vendor/nette/http/src/Http/Session.php:90 Stack trace: #0 ./vendor/nette/utils/src/Utils/Callback.php(96): Nette\Http\Session->Nette\Http{closure}('Cannot start se...', 2) #1 [internal function]: Nette\Utils\Callback::Nette\Utils{closure}(2, 'session_start()...', '/home/...', 104, Array) #2 [internal function]: session_start() #3 ./vendor/nette/utils/src/Utils/Callback.php(104): call_user_func_array('session_start', Array) #4 ./vendor/nette/http/src/Http/Session.php(91): Nette\Utils\Callback::invokeSafe('session_start', Array, Object(Closure)) #5 ./vendor/nette/http/src/Http/SessionSection.php(53): Nette\Http\Session->start() #6 ./vendor/nette/http/src/Http/SessionSection.php(112): Nette\Http\SessionSection->start() in ./vendor/nette/http/src/Http/Session.php on line 90