I actually solved this myself the very next day, but I wanted to check my solution in practice first. The answer is actually quite simple: double submit cookies.
So basically, whenever submit.html is called with submit.js (iframe button responsible for sending the payment data to API endpoint), it will get a CRSF token from the back-end server. The server will attach an encrypted cookie to submit.html as well, using https secure cookies.
Now, whenever the submit.js makes a call to the API endpoint, the CSRF token will be sent back with header. Back-end server takes encrypted cookie that it attached to submit.html, decrypts and compares it to the CRSF token in the header. If there is a match, the request is valid.
More info could be found here: OWASP cheat cheet.
CLICK HERE to find out more related problems solutions.