Form::setData dispachtes the PRE_SET_DATA event that is caught by the FormTypeCsrfExtension and invokes the EnsureCsrfFieldListener::ensureCsrfField.

This function does the following:

public function ensureCsrfField(DataEvent $event)
{
    $form = $event->getForm();

    $options = array();
    if ($this->intention) {
        $options['intention'] = $this->intention;
    }
    if ($this->provider) {
        $options['csrf_provider'] = $this->provider;
    }

    $form->add($this->factory->createNamed('csrf', $this->name, null, $options));
}

Now assume that a given form is already bound and therefore validated. If we call isValid() everything is fine.
Though, if we invoke the setData method, and call the isValid() method again an exception is thrown:

You cannot call isValid() on a form that is not bound.

This happens because the previous bounded csrf Form instance was replaced. It this the expected behaviour?

This could be solved by using $form->has before the $form->add.

I solved this issue temporarly in my case by doing this (ugly thing):

$csrfTokenValue = $form["_token"]->getData();
$form->setData($user);
$form["_token"]->bind($csrfTokenValue);