You cannot hide or encrypt your CSRF token, as it is usually passed to the web application in HTTP GET or HTTP POST request and it should be present on HTML page (or generated by JavaScript, which is basically the same).
CSRF-token is only one way to protect your web application against auto submissions (aka CSRF attack). Its usage is recommended when dealing with not very sensitive data. If you want to protect your web application against CSRF with CSRF token, I recommend you generate a new token at least every 15-20 minutes, so it cannot be easily brute-forced.
In many real-world implementations CSRF token is bound to session identifier. The same advice is valid for session identifier as well.
As for SOP, it should not allow by default to access elements within iframes. However, there have been vulnerabilities in many browsers in the past, which allowed this behavior.
The bottom line – you do not have to hide CSRF token. Instead, generate a new one once in a while. For very sensitive actions use additional means of user verification, e.g. request for user's password or use OTP.