I'm wondering why failureCallable is a Closure and not a thrown Exception/Error?

With an exception we can use the Slim errorHandler functionality. Unless you use Slim for an API, I think there's a big chance that you're using the Custom Error Handling since you want errors to look good within your template.

I understand this would be difficult to change now, but I'm just wondering why this was chosen.

For completeness sake, this is what I'm doing to solve it for myself;

$guard->setFailureCallable(function($request, $response, $next) use ($errorHandler, $c){
        return $errorHandler($c)($request, $response, new Exception('failed csrf check'));
});