I would suggest you do not enabled browser caching setting from this plugin "system - page cache" is because we did set the token on all the login form so that can prevent these CSRF attack, you can read more this following reference link : https://docs.joomla.org/How_to_add_CSRF_anti-spoofing_to_forms

If those cache system cached the HTML page, meaning to said that it will cache this token on the page, when the user trying to login, it will always pass in the same token, so they will hit this error.

The most recent request was denied because it contained an invalid security token. Please refresh the page and try again.

I've disabled that enabled browser caching from that plugin, can you clear your browser cache and see how it goes?