CSRF tokens should be generated new every time you load a page. The idea behind CSRF tokens is to validate the request's authenticity. If two requests are made with the same CSRF token, it can be assumed that the second one is a replay and shouldn't be executed and is invalid or fraudulent.
CSRF tokens are used to protect any critical functionality, not just log in. Which means that every page load a new CSRF token should be generated.
So to answer your original question, typically XSS vulnerabilities are combined with CSRF. The XSS will dynamically call javascript that pulls the CSRF token from the webpage that is being attacked and introduce it into the CSRF form. So if the XSS is on the login for example, if you reproduce the CSRF tokens each page load, the attacker will only have secured a login CSRF token which in practice is useless. By regenerating the token each page load, you are limiting the scope that the CSRF token can be used abused in.