I think after an hour the cookie that is used to validate has expired. It's not an Episerver specific thing methinks. Have a look at this article

That's a protection vs cross site request forgery. Basically what happens is that you are probably re-posting the form but the anti-forgery token validation then says that the token doesn't match the user it was created for (session timeout). So I would say it's working as intended. 

To avoid it you can redirect a logged out user to start page or reload the page since this will restart the session and give you a new valid cookie for antiforgery token.

It sounds strange that if a user starts filling out a form, takes a break for an hour, and comes back, the page fails? 

Daniel: you say we can reload the page, but when we reload the page, the error happens. 

You should be able to reload using a GET? (similar to open same address in new tab). If you reload using a POST (resending form data) it will trigger the validation of antiforgery token. Haven't tested it though but that is as it should work at least. The validation is to protect logged in users. If it didn't exist I could create posts as another logged in users with a little effort and a fake site. 

What you can do is have a javascript that sends user to startpage after x mins of inactivity / session timeout and force them to login again. This will avoid the problem with session timing out and the token becoming invalid on the forms page. 

For sites without login I guess it should be possible to remove the antiforgery check. Don't see why it's needed then. Haven't tested if that is possible with Episerver Forms out of the box though

As it is a protection against XSRF attacks, also for anonymous users, I would not advice to remove it. You could catch the exception and handle it in a way that's user friendly, e.g. showing a message that explains that they need to fill in the form again due to inactivity