Which hosts should be in the valid referers list? If you reference everything via the load balancer, then that is what you will need to add to the list. You can run a network trace (Fiddler/F12 Developer tools/etc) to see what the referrer value is in the responses to confirm. However, if you can bypass the load balancer and go directly to the servers, then you should add the servers as well. If you are calling the service provider from Pega via a connect rule, you will expect a response from that and should not need to configure the service provider. If the service provider is calling back into PRPC, then you would likely need to add the service provider as well. Again, a network trace will confirm that for you.
How does the CSRF Protection work? In which order does which validation check?
Based on the article, Each request is examined for a valid token and is rejected, if either no token or an invalid one is provided. (otherwise with the correct token, the request goes through) Exceptions can be configured based on the values of the HTTP Referrer header contained in the request. Thus it checks for a valid token first, and if that fails, it checks for a valid referrer.