Not at all. That's what CSRF is all about. All the attacker needs to do is get you to visit a page on the internet that they control. Then the code on the page does its magic and runs on the browser and because you and the browser are on your network it can work.
As a simple example, imagine that you had a test server behind a firewall in your own home network, totally inaccessible from the internet. Now let's say you have it set up so that it will, oh, let's say turn on the oven if you hit a specific URL without any authentication (like testserver/actions/oven/on, or some such). If someone knows of this then they could contrive to have you visit a web page with some embedded resource such as an inline image that causes you to hit that url from your browser. Boom, now your oven is on and you didn't even know it. Even if you switch to using logins and cookies on your test server to ensure that only authorized users on your network can use it then you'll still have the same problem, because when your browser hits that URL it will be in your name, and all of the right cookies will be there. That's the nature of CSRF.
As a simple example, imagine that you had a test server behind a firewall in your own home network, totally inaccessible from the internet. Now let's say you have it set up so that it will, oh, let's say turn on the oven if you hit a specific URL without any authentication (like testserver/actions/oven/on, or some such). If someone knows of this then they could contrive to have you visit a web page with some embedded resource such as an inline image that causes you to hit that url from your browser. Boom, now your oven is on and you didn't even know it. Even if you switch to using logins and cookies on your test server to ensure that only authorized users on your network can use it then you'll still have the same problem, because when your browser hits that URL it will be in your name, and all of the right cookies will be there. That's the nature of CSRF.