Checked the same in my environment, and it works - my REST controller method received x-csrf-token header and it value.
Error 500 is a server-side error. Could you check what exact application error is thrown in your environment? Also, add some logging to your workflow to dump the value of gnerationNumber variable before you call setHeader() to verify that it is not null/empty at that point.