I have recently followed the official documentation on how to properly install and setup Laravel Passport in a demo application (blog).
My routes are set up following these instructions:
Next, you should call the Passport::routes method within the boot
method of your AuthServiceProvider. This method will register the
routes necessary to issue access tokens and revoke access tokens,
clients, and personal access tokens:
Csrf can be disabled for desired URI-s, as stated on https://laravel.com/docs/5.3/csrf . For an example, In VerifyCsrfToken class I've added one value
protected $except = [ 'oauth/authorize', ];
and it works.