th:action ... detects when this attribute is being applied on a tag, ...
and in such case calls RequestDataValueProcessor.getExtraHiddenFields(... )
and adds the returned hidden fields just before the closing tag.
Additionally, the 'value' for th:action can apparently, be any parse-able expression. The value for th:value is a mute point, as the entire <input ... /> tag is inserted 'automagically' by Thymeleaf.
Given the apparent need for th:action and the automatic insertion of the <input /> tag, I wonder at the applicability of th:href, the:src, th:value or th:field in this CSRF context. I'm sure I'm missing many important points, but this required a full day of 'research' to get the _csrf token inserted into the form.
The fact that the SO question was answered by the OP (Original Poster) some 2 weeks later, suggests that there are few who actually know how this stuff works. I'm a bit surprised at that.
Please update section 12.1 "Integration with RequestDataValueProcessor" of the Thymeleaf Spring 3 docs accordingly.