I didn't understand what you told me about the content/headers stuff.

That's why I pointed out the distinction between data conveyed in the header and data conveyed in the content/body. IF you want to mimic the form submission, you must not transfer the data in the header - no browser does that! Perhaps, the csrf_token might need to be transferred with the header but that is surely defined in the fine API documentation, right?

I GUESS, you need something like this:

#-- everything from the FORM here (nerver use colons here):
my@form_fields= (  csrf_token                        => $csrf_token,
                      #-- above looks right, according to form example
                   subscribees                       => "$name <$email
+>",
                   setmemberopts_btn                 => 'Submit Your C
+hanges',
                   send_notifications_to_list_owner" => "1"
                );

#-- read the API-doc: IF the csrf_token is required in the header
#   (use colons to prevent canonicalisation):
my @headers =   ( ':csrf_token'                      => $csrf_token,
                  ':member_verbosity_threshold'      => 0,
                  'User-Agent'                       => 'Mozilla/5.0'
                );

my $res = $ua->request(POST $_[0],
                       @headers,                    
                       Content => \@form_fields
                      );
[download]

Regarding the lifetime expiration: Of course, you must provide the currently valid csrf_token. I hope, running this application is in accordance with laws and terms of use...