I prefer to pass the antiforgery token in the header. This way its easy to parse out of the request on the server because its not intermingled with your form’s data.
I then created a custom action filter to check for the antiforgery token.
I created a post already on how to do this.