Support

Even though I disabled and eventually uninstalled Admin Tools

Therefore, it's not an Admin Tools Web Application Firewall issue. The code not only doesn't run, it's not even installed. You have already eliminated 80% of the troubleshooting with that statement.

This leaves us with .htaccess files.

I would start by deleting the .htaccess and .htpasswd files from your site's administrator directory. This will remove the administrator directory password protection. It doesn't have anything to do with your problem, but since you seem to be thrown out by the admin directory password let's get this out of the way.

The only other thing that could've been left behind is the .htaccess file in your site's root. Replace its contents with the contents of the htaccess.txt file provided by Joomla. This one might have something to do with your problem, but only if you have added any custom code yourself. Since I can't rule that out, I'd rather eliminate the possibility by "resetting" the file to "factory defaults" so to speak.

Beyond that, I seriously doubt that you are still logged into your administrator based on your issue description. This is easy to verify. If you can see the administrator login page you ARE NOT logged in. The login page can only be displayed when you are a Guest user. This is true for both the frontend and the administrator backend of every Joomla site since it was still called Mambo.

Most likely, the login form is submitted twice for some reason. The first one works and logs you in, the other one sees that you are now already logged in and since you got logged in Joomla rebuilt your session which also has the effect of invalidating the anti-CSRF token which leads to the message about non-matching tokens. I can't help with that, though. I have seen everything from DNS, to web server configuration, to Joomla Global Configuration, to third party extensions causing something like that over the past 20 years, but none of that has to do with my software.