Can't verify CSRF token authenticity.

This does seem to be the issue. What does the form and stimulus controller look like? 

Try changing the user avatar file field to a direct upload and see if you get the same issue.
If you revert back to ERB, do you get the same issue?

I just pulled down the source for this episode and tried things out. It worked (once I updated an unrelated issue sass-rails). What ActiveStorage storage mechanism are you using?

 ☒ By chance, are you overriding ActiveStorage::DirectUploadsController#create? I've pulled your view code and stimulus controller code into the project, updated to Rails 6.1.3.1, updated yarn packages (active storage, ujs and dropzone). It still works locally.

 ☒ Personally, I'm not a fan of Less/HAML, but one thing that you could try doing is to inspect the rendered HTML from both scenarios to see if there is any difference. There could be one little change that is causing the whole smash to do something strange.