I interpret the above to mean that the token will only work for requests made via the specified url, and that the token will not work when used in a request made from any other website. Hence I would think that the token is not sensitive information.
My question is as follows:
Is it ok to hardcode the http referer generated token into the request made to the service in my webapp (i.e. this means that anyone who looks at the source code can see the token), or is this a problem in terms of security?