Anyway you have to send form somewhere to the server, and you can not hide this PHP-module by redirects (these easily trace in HTTP headers so it’s protection from the kiddie-hackers only).
You already do use CSRF token and CSP’s
form-action for security. That’s good.
To complicate hackers attacks you can additionally use CAPTCHA service (like reCAPTHA, hCAPTCHA), but these third-party scripts required to be also allowed in CSP (since you use it).
But it’s impossible to hide a form handler (validation.php in your case).
It’s only possible to create validation.php handler with no vulnerabilities and leave hackers no chances.
CLICK HERE to find out more related problems solutions.